On 10/12/18 7:30 AM, Simo Sorce wrote:
On Fri, 2018-10-12 at 13:21 +0000, Reinaldo Souza Gomes wrote:
> Jakub,
> I see. Thank you.
>
> Simo,
> Is this gssntlmssp package meant to work on CentOS 7.5 / Samba 4.7?
Yes to authenticate as a domain member you need to have winbind
installed, configured and working correctly on the system.
I just spent a very
large chunk of time getting exactly this
configuration working. It is not as straight forward as one would like.
Let me settle into a more comfortable spot and I will detail what I
found needs to occur in order for you to have SSSD and winbind work at
the same time while serving SMB shares that can use either Kerberos or
NTLM (password based) authentication.
>> If so, is there any configuration needed? I would like my Samba server to be
able to handle NTLMSSP authentication for windows' clients, while using SSSD as the
authentication layer, if possible.
>> Thanks in advance.
>>
>> Em sexta-feira, 12 de outubro de 2018 05:03:29 BRT, Jakub Hrozek
<jhrozek(a)redhat.com> escreveu:
>>
>>
>>
>>> On 11 Oct 2018, at 02:08, Reinaldo Souza Gomes
<reinaldosouzagomes(a)yahoo.com.br> wrote:
>>>
>>> I know that this is an old topic, but I've seen contradictory answers in
different places.
>>>
>>> Some topics say that SSSD has no support for NTLM due to its inherently
unsecure nature, and will never have.
>> Currently SSSD cannot handle NTLM. We thought about a long time about handling
NTLM, but it’s a lot of work for not so much gain…
>>
>>
>>> But others such as this
topic(https://bugzilla.redhat.com/show_bug.cgi?id=963341) seem to state that it could be
possible through gssntlmssp package.
>>>
>> Since Simo commented on the bug some time ago, maybe he still remembers how
gssntlmssp was supposed to help there?
>>
>>> The reason for my question is that I'm trying to use Samba with SSSD, and
its authentication fail when the windows client falls back from kerberos to NTLMv2 for any
reason:
>>> [2018/10/10 20:43:32.382948, 2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
>>> check_ntlm_password: Authentication for user [myusername] ->
[myusername] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
>>> [2018/10/10 20:43:32.382989, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
>>> Auth: [SMB2,(null)] user [MYDOMAIN]\[myusername] at [Wed, 10 Oct 2018
20:43:32.382980 -03] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation
[NTB005] remote host [ipv4:192.168.1.1:1914] mapped to [MYDOMAIN]\[myusername]. local host
[ipv4:10.1.1.1:445]
>>>
>>>
>>> Is there anything I can do to make SSSD able to deal with NTLMv2/NTLMSSP?
>>>
>>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>