search for: permitted_enctyp

Displaying 20 results from an estimated 159 matches for "permitted_enctyp".

Did you mean: permitted_enctypes
2024 Apr 05
1
Strange problem with samba-tool dns query ...
...line. > > but it includes other file too from package > crypto-policies-20231204-1.git1e3a2e4.fc39.noarch > > $ ls -l /etc/krb5.conf.d > lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> > /etc/crypto-policies/back-ends/krb5.config > > [libdefaults] > permitted_enctypes = aes256-cts-hmac-sha384-192 > aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac > > When I remove this file, command returns correct results Oh you did, please do not put it back. > > I suppose permitted_e...
2024 Apr 05
1
Strange problem with samba-tool dns query ...
...ers#Connections_to_a_Samba_Domain_Member_Fail_After_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > Just remove the 'includedir' line. > > I'm not sure my samba version is including files from that directory without problems When I've removed first two permitted_enctypes: aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 to be: permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac command works No matter if this is included in file /etc/krb5.conf.d/crypto-policies or in main file /etc/krb5.conf So...
2004 Jan 27
3
Solution -- can connect via IP but not by name
...ads_verify_ticket: enc type [3] failed to decrypt with ~ error Bad encryption type ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad ~ encryption type) ~ Failed to verify incoming ticket! The only way I have been able to reproduce this locally using MIT 1.3.1 is by setting a list of permitted_enctypes in /etc/krb5.conf. For example, ~ [libdefaults] ~ dns_lookup_kdc = true ~ default_tgs_enctypes = des-cbc-md5 ~ default_tkt_enctypes = des-cbc-md5 ~ permitted_enctypes = des-cbc-md5 des-cbc-crc Commenting out the last line solved things in my tests. Usually I have a very minimal krb5.c...
2024 Apr 05
1
Strange problem with samba-tool dns query ...
...etc/krb5.conf by this line includedir /etc/krb5.conf.d/ but it includes other file too from package crypto-policies-20231204-1.git1e3a2e4.fc39.noarch $ ls -l /etc/krb5.conf.d lrwxrwxrwx. 1 root root 42 17. led 01.00 crypto-policies -> /etc/crypto-policies/back-ends/krb5.config [libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac When I remove this file, command returns correct results I suppose permitted_enctypes are not compatible with this samba version, I'm not sure wh...
2004 May 12
2
Failed to verify ticket ?
...efault = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = DRAF.FC default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 permitted_enctypes = des-cbc-crc des-cbc-md5 #default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc #default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc #permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forw...
2024 Apr 05
1
Strange problem with samba-tool dns query ...
...r_Adding_an_includedir_Statement_to_the_/etc/krb5.conf_File > > > > Just remove the 'includedir' line. > > > > I'm not sure > > my samba version is including files from that directory without > problems > > > When I've removed first two permitted_enctypes: > > aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 > > to be: > permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > camellia256-cts-cmac camellia128-cts-cmac > > command works > > No matter if this is included in file > /etc/krb5.con...
2017 Nov 09
3
Slow Kerberos Authentication
Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enc...
2018 Jun 08
2
samba4+squid3+ntlm
...ibdefaults] default_realm = MYDOMINIO.COM dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des...
2004 Apr 19
1
Samba 3.0.2a with ADS w2k3 Active Directory, enctypes
...eros. The most strange for me it's that the same environment works fine with a W2K Active Directory, I read in same list the problem was the kerberos 1.2.x, then I changed to 1.3.3, but the problem remains. I also have tried the following combinations of parameters in the krb5.conf Test 1 - No permitted_enctypes [libdefaults] default_realm = HOME.EHC # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 #permitted_enctypes = des-cbc-crc des-cbc-md5 Result [2004/04/18 10:38:34, 10] libads/kerberos...
2016 Jan 07
1
Authentication to Secondary Domain Controller initially fails when PDC is offline
...d for encrypted timestamp: aes256-cts/000A In my setup, i dont have aes256-cts available in my keytab, do you? You can try adding this, to krb5.conf. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-...
2006 Dec 01
2
Removing display of domain
...encrypt passwords = yes hosts allow = 10.0.0. 127. KRB5.CONF: -------------- [libdefaults] ticket_lifetime = 600 default_realm = DOMAIN.EXAMPLE.COM dns_lookup_kdc=0 dns_lookup_realm=0 dns_fallback=0 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc des-cbc-md5 arc foug-hmac-md5 arcfour-hmac-md [realms] DOMAIN.EXAMPLE.COM = { kdc = 10.0.0.1 } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Pretty generic, I know...
2024 Apr 05
1
Strange problem with samba-tool dns query ...
On Fri, 05 Apr 2024 17:18:12 +0200 pavel.lisy at gmail.com wrote: > > Now I've found some differences in /etc/krb5.conf > and it seams to be possible root cause. > > I will write summary after further testing. > Ah, yes, I should have remembered that you are running 'experimental' DCs on Fedora and they do strange things to the krb5.conf. All you need is this:
2017 Nov 10
2
Slow Kerberos Authentication
...ba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 per...
2004 Dec 07
1
Kerberos Error
...beros/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = HQ.ARKONNETWORKS.COM default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] HQ.ARKONNETWORKS.COM = { kdc = dc2.hq.arkonnetworks.com:88 admin_server = dc2.hq.arkonnetwo...
2004 Apr 20
1
RES: Samba 3.0.2a with ADS w2k3 Active Directory, enctype s
.... The most strange for me it's that the same environment works fine with a W2K Active Directory, I read in same list the problem was the kerberos 1.2.x, then I changed to 1.3.3, but the problem remains. I also have tried the following combinations of parameters in the krb5.conf Test 1 - No permitted_enctypes [libdefaults] default_realm = HOME.EHC # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 #permitted_enctypes = des-cbc-cr...
2017 Nov 10
0
Slow Kerberos Authentication
...ia samba" <samba at lists.samba.org> wrote: Hai, You may need to add the the following in krb5.conf [libdefaults]  allow_weak_crypto = true ; for Windows 2003 ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES     default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5     default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5     permitted_enc...
2004 Jun 09
1
RES: authentification in ads2003
...om > } > #[domain_realms] > #.kerberos.server=CAR.BE.TEST.COM > > # The following krb5.conf variables are only for MIT Kerberos. > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > > v4_instance_resolve = false >...
2023 Dec 22
1
Failed to join domain - some user account restriction has prevented successful authentication
...realm = true dns_lookup_kdc = true forwardable = true ticket_lifetime = 24h renew_lifetime = 7d default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 # net ads keytab list # I'm wondering if this is in any way related to the Kerberos hardening changes that was introduced by Microsoft in late 2022 and to be performed in phases throughout 2023? What else should I be checking for? What...
2004 Jun 08
1
Authentification in windows ads 2003
....test.com default_domain = car.be.test.com } #[domain_realms] #.kerberos.server=CAR.BE.TEST.COM # The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host =...
2019 Jan 08
0
mount cifs with sec=krb5
...TR record exists for both servers? Does CIFS/spn and root/spn exist in the AD? In krb5.conf, set these : ; not used for nfs4 but cifs might need it. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES, (cifs and nfs4) default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5...