search for: add_update_ads

Hi Louis, >Try > >net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator >And i hope this is not your hostname : lpeda1.muc >Because thats a domainname. > >Also make sure you check the resolving of the A and PTR records > >Greetz, > >Louis My hostname is lpeda1! hostname returns "lpeda1" hostnam...

Hello, I am using Samba as file server as member of a windows domain. Kerberos is configured with kerberos method = secrets and keytab Currently some (not all) users get issues when connecting to samba shares from windows. In the corresponding samba logs I found entries: .... [2020/07/23 12:08:06.697678, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)

...k, try sec=sys in a client, if that works, well, then you setup needs fixing somewhere. DNS/resolvings/SPN's ##### Below are the client and server configs. # Samba/winbind joined, and you need to add the NFS spn to the keytab file and AD. ### Server1 (NFS SERVER SPN setup) net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator ### Server1 (NFS exports setup) # /etc/default/nfs-kernel-server NEED_SVCGSSD="yes" ### Server1 and 2 (NFS Server and client) ! only need if you setup as shown on server 1. /etc/default/nfs-common NEED_STATD="yes" STATDOPTS="no" N...

Hi everyone, I have a samba DC, let's call it dc1.ad.example.com. I have two members of the domain - server1.ad.example.com and server2.ad.example.com.?? They are not running smbd and winbind. Instead, they are running SSSD with AD backend. I want to create an NFSv4 export on server1.ad.example.com and mount it on server2.ad.example.com (say, sec=krb5). I found some instructions online

After re-join kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k samba-tool delegation for-any-service COMPUTERNAME$ on ( or use : delegation add-service accountname principal [options] ) Reboot Should work now. ;-) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan > Mass...

Hi list, I joined a workstation (Debian 10, Samba from distribution) to our AD domain (Windows 2012 Server). The domain ends by ".local" (yes I know, not my fault). However, after a domain user logged to the machine, I can't mount a share that exists on the AD server using user's kerberos ticket: it fails with error "Required key not available". Mounting using

Hi Louis, Thanks for your message. However, I already have NFS working completely. I'm only trying to work out root NFS access on the client.? I tried your NFS translation fix via idmapd.conf? but that isn't working for me. I've discovered that's because CentOS 7 is using gssproxy so apparently your fix won't work. The fix from Red Hat (adding some lines to krb.conf seen in my

...st know that the basics are.. > > > > 1) The server must have A and PTR record. (optional you can > use CNAMEs as long A+PTR match). > > > > 2) you use nfs/$(hostname -f) and add this in the local > keytab and in the computer object$ > > net ads keytab add_update_ads nfs/$(hostname -f) > > > > ( you dont add the REALM here ) ! > > > > > > 3) i know nfs tries mutiple spns, like : ( random order. ) > > nfs/HOSTNAME$ > > nfs/hostname.fqdn > > root/hostname.fqdn > > On of these must exist in the local key...

Try net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator And i hope this is not your hostname : lpeda1.muc Because thats a domainname. Also make sure you check the resolving of the A and PTR records Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org]...

...y problem is i dont now how Centos/RH is handing this. I just know that the basics are.. 1) The server must have A and PTR record. (optional you can use CNAMEs as long A+PTR match). 2) you use nfs/$(hostname -f) and add this in the local keytab and in the computer object$ net ads keytab add_update_ads nfs/$(hostname -f) ( you dont add the REALM here ) ! 3) i know nfs tries mutiple spns, like : ( random order. ) nfs/HOSTNAME$ nfs/hostname.fqdn root/hostname.fqdn On of these must exist in the local keytab file. ( in debian /etc/krb5.keytab ) klist -ke /etc/krb5.keytab Should have at lea...

...you "deleated the computer object" to allow kerberos services. And did you add the CIFS/spn to the computer and keytab ? https://wiki.samba.org/index.php/Generating_Keytabs If its a member, which i assume. kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k Add these and it should work. You might need to restart or reboot., sometimes its needed. Dont know why. Cifs and NFS (kerberized) work in debian without any changing any files if you setup correctly. All you need is above. If you not having a "regular" setup, you might need to c...

Hi, I want to install a dovecot mail server with postfix. And want to be able to use kerberos for authentication. Has someone experience with this. And maybe some links to info. Is there also someone with experience with SoGo? Philip

.... >> > >> > 1) The server must have A and PTR record. (optional you can >> use CNAMEs as long A+PTR match). >> > >> > 2) you use nfs/$(hostname -f) and add this in the local >> keytab and in the computer object$ >> > net ads keytab add_update_ads nfs/$(hostname -f) >> > >> > ( you dont add the REALM here ) ! >> > >> > >> > 3) i know nfs tries mutiple spns, like : ( random order. ) >> > nfs/HOSTNAME$ >> > nfs/hostname.fqdn >> > root/hostname.fqdn >> > On...

Hi, Upgraded the samba from 4.7.7 to 4.9.3 in debian. Trying to get Samba AD 4.9.3 as a Kerberos source for nfs4. Until 4.7.7 able to mount the nfs4 over krb5 security. After upgrade unable to mount it. Suggest me is there any configure change in 4.9.3. Please look the following configuration. [Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios name= x2 realm= SAM.COM password

...derstand the above: mount requires a keytab AND a user ticket? > https://wiki.samba.org/index.php/Generating_Keytabs > > If its a member, which i assume. Yes, the workstation is a domain member. > kinit Administrator > net ads keytab add cifs/$(hostname -f) -k > net ads keytab add_update_ads -k > > Add these and it should work. > You might need to restart or reboot., sometimes its needed. > Dont know why. > > Cifs and NFS (kerberized) work in debian without any changing any files if you setup correctly. > All you need is above. > If you not having a "regu...

Hi, I set up Squid 4.6 on Debian 10 and I'm having problems with browser authentication on a Windows station. I did the tests on the command line and apparently it's OK. root at proxy:/etc/squid/acls# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global

...ased service. net ads keytab changes ---------------------- net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified. A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead. net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads se...

...ased service. net ads keytab changes ---------------------- net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified. A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead. net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads se...

...ased service. net ads keytab changes ---------------------- net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified. A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead. net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads se...

...ased service. net ads keytab changes ---------------------- net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified. A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead. net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads se...