search for: krb5cc

...#39;s DNS" echo "server when using INTERNAL DNS or BIND9 DLZ plugin." echo "" echo " Command line options (and variables):" echo "" echo " -a | --action Action for this script to perform" echo " ACTION={add|delete}" echo " -c | --krb5cc Path of the krb5 credential cache (optional)" echo " Default: KRB5CC=/run/dhcpd.krb5cc" echo " -d | --domain The DNS domain/zone to be updated" echo " DOMAIN={domain.tld}" echo " -h | --help Show this help message and exit" echo " -H | --hostname Ho...

...dns_lookup_kdc = true default_realm = FOO.COM [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = FILE:/var/log/krb5/def.log * run kinit aaptel at FOO.COM, type pw, ok * klist output: Ticket cache: DIR::/run/user/1000/krb5cc/tktEOK9Bs Default principal: aaptel at FOO.COM Valid starting Expires Service principal 04/14/2018 13:49:22 04/14/2018 23:49:22 krbtgt/FOO.COM at FOO.COM renew until 04/15/2018 13:49:21 At this point I think it should work, but I get: $ smbcl...

...1 HTTP/dc01.example.com at EXAMPLE.COM > 2 1 HTTP/dc01.example.com at EXAMPLE.COM > 3 1 HTTP/dc01.example.com at EXAMPLE.COM > ktutil: q > > You can see that there is only the spn in the keytab and if you try 'kinit' > > kinit -k -t /etc/httpd.keytab -c /tmp/http-dc01.krb5cc http-dc01 > kinit: Generic preauthentication failure while getting initial credentials > > now if you export another keytab but this time use the upn as the principal: > > samba-tool domain exportkeytab /etc/http-dc01.keytab > --principal=http-dc01 at EXAMPLE.COM > > and...

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

...blem with ssh and sssd in a samba4 ad environment. If I logon a linux client everything works fine. When entering klist I'm able to see my ticket. When I try to connect/logon to another linux client with ssh it is possible, but klist shows: klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found. So the ticket cache is not created during logon. I'm using sssd with the following sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = $DOMAINNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_k...

...em1 . . $ ps -ef | grep ssh root 170 1 0 14:01:58 ? 0:00 /opt/ssh/sbin/sshd test 245 243 0 14:03:41 ? 0:00 sshd: test at pts/0 test 242 225 0 14:03:39 pts/tb 0:00 ssh system1 root 243 170 0 14:03:39 ? 0:02 sshd: test [priv] $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_170_243 -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 Env KRB5CCNAME is set to KRB5CCNAME=FILE:/tmp/krb5cc_243_245 On closing the session,the cache file corresponding to the nonpriv process is...

...assword of DOMAIN\root You should never get prompted for the password for 'DOMAIN\root', if you do, then you doing something wrong or something has gone wrong. > (what happens when transferring the > *dns roles): > > srv-kb-dc1:~ # klist > Ticket cache: DIR::/run/user/0/krb5cc/tkt What OS is this ? > Default principal: administrator at MY.LOCAL.DOM > > Valid starting?????? Expires????????????? Service principal > 12.01.2023 12:57:56? 12.01.2023 22:57:56 krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM > ??????? renew until 13.01.2023 12:57:54 > srv-kb-dc1:~ # sa...

...You should never get prompted for the password for 'DOMAIN\root', if you > do, then you doing something wrong or something has gone wrong. > >> (what happens when transferring the *dns roles): > >> >> srv-kb-dc1:~ # klist >> Ticket cache: DIR::/run/user/0/krb5cc/tkt > > What OS is this ? > >> Default principal: administrator at MY.LOCAL.DOM >> >> Valid starting?????? Expires????????????? Service principal >> 12.01.2023 12:57:56? 12.01.2023 22:57:56 krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM >> ???????? renew until 13.01.20...

Am 12.01.23 um 14:03 schrieb Rowland Penny via samba: > On 12/01/2023 12:51, Rowland Penny via samba wrote: >> On 12/01/2023 12:28, Thorsten Marquardt via samba wrote: >>> srv-kb-dc1:~ # klist >>> Ticket cache: DIR::/run/user/0/krb5cc/tkt >> What OS is this ? the old host: srv-kb-primdc:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.3" ID=opensuse ID_LIKE="suse" VERSION_ID="42.3" PRETTY_NAME="openSUSE Leap 42.3" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:...

...e is nothing like host_ or other for kerberos inside. > > ls -lisa /var/tmp/ > 2 4 drwxrwxrwt 3 root root 4096 Sep 25 08:39 . > 2 4 drwxr-xr-x 13 root root 4096 Jun 20 2013 .. > 11 16 drwx------ 2 root root 16384 Aug 9 2012 lost+found > > > In /tmp i can see 4 krb5cc files for users there has used kerberos > on this member. So this look ok between Client and Fileserver. But > not between Member an DC > > For recreate keytab i can use this manual? > https://wiki.samba.org/index.php/Generating_Keytabs > <https://wiki.samba.org/index.php/Gene...

...t; Kinit as Administrator (note I am using sudo, but it would be the same > if done by root) > > adminuser at rpidc2:~ $ sudo kinit Administrator > Password for Administrator at SAMDOM.EXAMPLE.COM: > > The Administrators ticket: > > adminuser at rpidc2:~ $ sudo klist -c /tmp/krb5cc_0 > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at SAMDOM.EXAMPLE.COM > > Valid starting Expires Service principal > 12/01/23 11:14:21 12/01/23 21:14:21 > krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > renew until 13/01/23 11:14:13 &g...

Hi Rowland, Yes, I read this documentation carefully. I have two working Apache2 with kerberos authentication working. My question is more about troubleshooting a keytab. If I need to test manually a keytab file chalenging a specific principal, what's the prefered method ? I thougt that a kinit could be done using a principal name, but I am unable to kinit with somehting else than the

..._DB_ERROR I had to add a USER=dhcpd export USER to the script in /etc/dhcp/update.sh (this is the path for ubuntu 14.04, instead of the /etc/dhcpd one for arch) Since ubuntu 14.04 uses apparmor, I also added a the line /etc/dhcp/update.sh Uxr, to /etc/apparmor.d/local/usr.sbin.dhcpd and put KRB5CC in /tmp instead of /run (where the dhcpd user cannot write). BTW samba-tool seems to ignore the -k option altogether (it uses kerberos if it can or asks for a password if it cannot, regardless of the presence or not of the -k option) Bye -- Luca Olivetti Wetron Automation Technology http://www.w...

...dential cache can be controlled with this option. The supported values are: KEYRING (when supported by the system's Kerberos library and Kernel), FILE and DIR (when the DIR type is supported by the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case of DIR you NEED to specify a directory. UID is replaced with the numeric user id. When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This...

Hi all, I'm trying to get pam_winbind to create ticket cache on login if the AD is available. Please note that this is an Ubuntu Lucid system. When trace this with wireshark it receives a TGT ticket for the user. The current solution is to use pam_krb5 before attempting winbind. That gives me a ticket cache. The main problem is that if the user enters the wrong password it does two login

...de> <mailto:oliver.werner at kontrast.de <mailto:oliver.werner at kontrast.de>>>>> wrote: hi, now after 10 hours my samba has the next crash and need to restart winbind. Here are the list/kinit: # before kinit pl0024:~# klist klist: Credentials cache file '/tmp/krb5cc_0' not found pl0024:~# kinit Administrator Password for Administrator at HQ.KONTRAST <mailto:Administrator at HQ.KONTRAST>: pl0024:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at HQ.KONTRAST <mailto:Administrator at HQ.KONTRAST> Valid starting       Ex...

...rquardt via samba: > Am 12.01.23 um 14:03 schrieb Rowland Penny via samba: > > On 12/01/2023 12:51, Rowland Penny via samba wrote: > >> On 12/01/2023 12:28, Thorsten Marquardt via samba wrote: > >>> srv-kb-dc1:~ # klist > >>> Ticket cache: DIR::/run/user/0/krb5cc/tkt > >> > >> What OS is this ? > > the old host: > > srv-kb-primdc:~ # cat /etc/os-release > NAME="openSUSE Leap" > VERSION="42.3" > ID=opensuse > ID_LIKE="suse" > VERSION_ID="42.3" > PRETTY_NAME="openS...

On 09/04/2015 03:59 AM, mathias dufresne wrote: > Hi, > > I don't think there is sernet kerberos package. You would have to install > kerberos client using your package manager: krb5-workstation on Centos or > krb5-user on Debian I think... As I understand things: Samba4.2 and lower is designed for the Heimal (sp!) kerberos. Redhat/Fedora/Centos provides the MIT kerberos.

...len; + #else int fromlen; + #endif struct pty_cleanup_context cleanup_context; /* Get remote host name. */ *************** *** 2328,2333 **** --- 2365,2380 ---- if (display) child_set_env(&env, &envsize, "DISPLAY", display); + { + char *authstate,*krb5cc; + + if ((authstate = getenv("AUTHSTATE")) != NULL) + child_set_env(&env,&envsize,"AUTHSTATE",authstate); + + if ((krb5cc = getenv("KRB5CCNAME")) != NULL) + child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc); + } + #ifdef KRB...

Hi all, I have a problem in libpam-winbind: offline logon doesn't seems to work. The first version of samba in which I have found the problem is 4.1 and the last is 4.7 but I fear that newer version are affected too. Hopefully there is a workaround: you have to remove krb5_ccache_type=FILE from /etc/pam.d/common-auth I have opened a bug report[¹] where you can find more details. Any one