similar to: Privilege Attribute Certificate (PAC) Disabled/Samba authentication

Hi Matthias, adding (or better replacing) the userPrincipalName attribute with the nfs/* one, is exactly what you need to do. For some reason the NFS client's request *only* matches the userPrincipalName attribute, while all other services I tried so far are fine when matching one of the values in servicePrincipalName attribute. NFS seems to be a very special kind of kerberos service as it

Hello, We are experiencing ADS lower performance on Samba-3.0.22 for HPUX. I did Google search, and find out one message posted at http://lists.samba.org/archive/samba/2005-November/114231.html at the earlier time. >From my observation, it seems there was a spin on reply_spnego_negotiate()/ reply_spnego_kerberos() calls that invokes register_vuid() to register uvid with different vuid# for a

Hello List We run a Solaris9 Server running Samba 3.0.20, Local Users (no winbind) but authenticating against ADS. There are up to 800 concurrent users, mostly Windows XP SP3. When clients access MyDocuments, which is redirected to the Samba share, we observe several "Session Setup AndX Request"s followed by "Session Setup AndX Response, Error:

Hi, I've been working on some systems trying to get kerberized nfsv4 and kerberized web services going on 7. Kerberized nfsv4 was working with 7.0, but with the 7.1 release it stopped working, the key difference between the two setups is that gssproxy wasn't being used with 7.0, but seems to be key with 7.1. The problem I am encountering with Kerberized NFSv4 is that the directory will

I have a kerberized SSHD installed on HOST-1, a login server for the outside world. How can I make it so users are still authenticated via kerberos, even though they haven't yet received a ticket? The main reason for this is that a user who is at home, no vpn, but has an ssh client could then login and be authenticated by kerberos using password authentication, get a ticket, then be allowed

On Tue, 2017-12-05 at 16:14 +0100, mj via samba wrote: > We haved used it on a domain member server, yes. > > Only one thing: when you have a compteraccount memberserver$ in your AD, > you cannot use "memberserver" as an alias on another machine) And you should register any such alias as a servicePrincpalName. Andrew Bartlett -- Andrew Bartlett

Am 2016-11-28 07:14, schrieb Matthias Kahle via samba: > Hi Folks Hi Matthias, > I'm trying to share user home directories hosted on a Samba-4 member > server via NFSv4. Everything's working well with the Windows shares but > when it comes to kerberized NFSv4 it fails. I can't even mount the > home > root directory via nfs on the server itself ("mount.nfsv4:

Hi, yes, there are some things. But I have not found a nice complete documentation. One main point is the domain name as prefix of the username of the parent domain, e.g. "DOM\user1", you have to use. I was not able to get rid of it, as the client is member of the subdomain which is the default. So you can't use the "default domain" option in smb.conf. The backslash

Thank you for that, i did have a good look at that one. And i use Debian 9, if you test what i posted below in the thread, you will see NFSv4 works fine. Below is missing one more thing, the "allow to delegate (kerberos only) " on the computer object in the AD, should be enabled. And yes, i've see bugchecks also but only on my debian .. Lenny.. Stt.. ;-) .. Its my last lenny

Hi people, I have a Linux box running Samba 3.0.2a in ADS mode MIT Kerberos 1.3.3. My W2K e WXP users can't access the linux box by netbios name, the only access that works is by IP address, I know that's caused because access thought IP address don't make use of Kerberos. The most strange for me it's that the same environment works fine with a W2K Active Directory, I read in same

Hi All, I'm having a bit of difficulty getting a CentOS 5.5 Kerberized NFSv4 server working. This server is configured as a Winbind client to a Windows 2003 Active Directory. I've successfully bound it to AD and I am able to authenticate. I've successfully created a NFSv4 entry in /etc/exports to export the /exports directory and I can successfully mount a non-Kerberized NFSv4

Hi Jim, I did what the doc says but the problem is the same. Does anybody saw this work ? I mean, is the Samba 3.0.2a+Kerberos MIT 1.3.3 able to be accessed by a WXP, W2K or W2K3 machine, using Kerberos tickets generated in a Windows 2003 KDC (W2K3 AD) ? Thanks -----Mensagem original----- De: Jim McDonough [mailto:jmcd@us.ibm.com] Enviada em: segunda-feira, 19 de abril de 2004 17:07 Para:

Hello, Is it possible to use Dovecot in a fully kerberized mail system? We have configured authentication via kerberos, now we would like the imap deamon to access a kerberized nfs file system. Has any one any experiences? Regards, Matthew. -- Dr Matthew Williams MEng PhD MBCS Systems Administrator - IT Services - Bangor University Prifysgol Bangor Tel: (44) (0)1248 382414

> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab? I already thought about trying that. So by now, I tried tweaking the client's LDAP entry. Adding userPrincipalName=CLIENT02.DOMAIN.TLD does not succeeed, however, after reviewing the ldap filter once again, I added userPrincipalName=nfs/client02.domain.tld at

Is anyone on the list using kerberized-nfs on any kind of scale? I've been fighting with this for years. In general, when we have issues with this system, they are random and/or not repeatable. I've had very little luck with community support. I hope I don't offend by saying that! Rather, my belief is that these problems are very niche/esoteric, and so beyond the scope of typical

Is it possible that Samba4 includes a large PAC on the kerberos credential and you're going over the limit in kernel? Against AD you have to disable this PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups

Is it possible that Samba4 includes a large PAC on the kerberos credential and you're going over the limit in kernel? Against AD you have to disable this PAC inclusion via the userAccountControl attribute to make kerberised NFSv4 work correctly. You /sometimes/ find that testing with a user who is a member of as close to no groups as possible works in this case, but users in many groups

Short story: cannot get Kerberized NFSv4 to work. I've googled a great deal and cannot find where I have goofed (and there sure is a lot of misleading and just plain incorrect information out there), so would appreciate another pair of eyes. NFSv4 without Kerberos does work fine, as does ID mapping. We're using NFSv4 in production with sec=sys, but I'm not happy with that. My

Short story: cannot get Kerberized NFSv4 to work. I've googled a great deal and cannot find where I have goofed (and there sure is a lot of misleading and just plain incorrect information out there), so would appreciate another pair of eyes. NFSv4 without Kerberos does work fine, as does ID mapping. We're using NFSv4 in production with sec=sys, but I'm not happy with that. My

Hey all, I've tried kerberizing SSH but I can't get it to login. I've read a lot of documentation, but I wish I could find a "cook-book" type of setup or how-to to get this beast working correctly, or to at least verify it's working per a specification. With that, I'm interested in what books/docs/etc does anyone recommend to get a good understanding of: 1.