Web lists-archives.com

Re: [Samba] use spnego question - samba 47 to samba48 migration




On Sat, 23 Jun 2018 17:04:39 -0300
Kontrol-Suporte via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello Gentlemen.
> OK, Tests were made. I got some errors only when using Samba48
> (samba47 is still fine) IMPORTANT: I forgot to mention... This is
> being used with SQUID Proxy for SSO authentication.
> 
> Got NTLMSSP neg_flags=0xa2088207
> Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24
> len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due
> to [{Access Denied} A process has requested access to an object but
> has not been granted those access rights.] GENSEC login failed:
> NT_STATUS_ACCESS_DENIED
> 
> I tried the new settings as suggested and also partial changes. Both
> are presenting the same behaviour. Nothing was changed in the AD
> side. I also re-checked the permissions/ownership on
> "/var/db/samba4/winbindd_privileged"  folder which is used by SQUID.

I think you might want to check that again, the 'winbindd_privileged'
dir went away quite some time ago.

> 
> To Rowland:  You asked if I really need the "min protocol = LANMAN2"
> option. Well, the idea was to enforce a minimum security level.
> 

I actually thought that, but 'LANMAN2' ??? why not 'NT1' at least.

Have you considered using kerberos with squid ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba