search for: chgkrbtgtpass

...at does this. > > Andrew Bartlett Thank you works fine on an single test machine. Raise forest and domain level to 2008_R2 and recerated the password with chgrdcpass. Raising the functional level did not set the krbtgt password (it does if the level is raised on an windows ad). But there is chgkrbtgtpass which does the trick. Sorry for the offtopic noise to the OP.

Hi, I have a domain with 3 DCs running 4.11.8. The database itself dates back to Samba3 and has been gradually updates over the years. When I check out a ticket I get the following results from klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at OLDDOMAIN Valid starting Expires Service principal 06/12/2020 23:25:04 06/13/2020 09:25:04 krbtgt/ OLDDOMAIN at

...d to recreate the machine and tgt password on yout server so > it adds the aes enc types for these after raising the functional domai > level. > > The required scripts can be found in tthe samba sources in > /source4/scripting/devel/ > > Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account. > > I did this on an single addc server a while back and had no issues. Never > tried it on an setup with multiple addc's. So i#d recommend you make an > backup/snapshot before you try it. > > > Achim~ > > > Am 27.12.2017 um 16:00 schrieb Mike...

Hi, I am testing Google's recent ability to integrate Chromebooks into AD and it's failing when I try to join the device to the domain. When I run wireshark during the test I notice 2 TGS-REQs from the device that are answered with KRB5KDC_ERR_ETYPE_NOSUPP. The Chromebook is only passing AES256-cts-hmac-sha1-96 and AES128-cts-hmac-sha1-96 as enc types. I was getting the same result from

Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at

I have found source4/scripting/devel/chgtdcpass for adding the aes types to machines. I know you have to change the password of normal users. How do you fix this for krbtgt? Can you just change the password? Is there a recommended method? Thank you for any help, Trever -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type:

...scripting-devel-Add-tool-to-roll-over-the-krbtgt-.patch that you are after. I am using v4-2-stable for building my own. This patch was not applied to this tree/branch, so you will have to pull it out of the email message. Apply both parts of the patch. You will need to make source4/scripting/devel/chgkrbtgtpass executable and then run it. I know that was part of it. I also had to rejoin the Linux machines that hosted services (this likely would have been unnecessary had I just waited for them to change their passwords). I hope this gets you the rest of the way. Trever -------------- next part --------...

...ank you works fine on an single test machine. Raise forest and > > domain level to 2008_R2 and recerated the password with chgrdcpass. > > Raising the functional level did not set the krbtgt > password (it does > > if the level is raised on an windows ad). But there is > chgkrbtgtpass > > which does the trick. > > Then, if I want upgrade samba too, and upgrade func. level > too, I need to use this command againist every machine account? > > Now I have AD domain with two dc (samba 4.1.2) on win2003 f. > level and ~150 desktops, mostly windows 7 . >...

Hello Mike, Can be you need to recreate the machine and tgt password on yout server so it adds the aes enc types for these after raising the functional domai level. The required scripts can be found in tthe samba sources in /source4/scripting/devel/ Use chdcpass for the machine-account and chgkrbtgtpass for the tgt account. I did this on an single addc server a while back and had no issues. Never tried it on an setup with multiple addc's. So i#d recommend you make an backup/snapshot before you try it. Achim~ Am 27.12.2017 um 16:00 schrieb Mike Forsman via samba: > Hi, > > I am t...

...; back to Samba3 and has been gradually updates over the years. I'm not sure why, but this probably doesn't have all the encryption types for either the user or the krbtgt account. Change the password on both. The user account the normal way, the krbtgt with samba/source4/scripting/devel/chgkrbtgtpass Be aware that this might unsettle the domain if replication is not working smoothly, as we need to get the new krbtgt password to every DC quickly. Clients running will find their tickets not accepted until they do a kinit again. You might want to rotate the server accounts, they are rotated wit...

Can you do this against the secrets.keytab in Samba's private/ dir? > You can reset the Samba machine account pw with > ./source4/scripting/devel/chgtdcpass, but: > - it wont be packaged so you will have to build Samba and tell it to > operate against the right paths > - it shouldn't be needed, upgrades shouldn't break this, and > understanding the root cause

On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote: > On 29.10.2020 18:27, Tom Diehl via samba wrote: > > > > Maybe I am missing something, but what is the secure way to run an > > automated > > backup on recent versions of samba? Can samba-tool domain backup be > > made to use > > kerberos so I do not need to store an admin password in an >

2017-06-21 14:29 GMT+02:00 Prunk Dump <prunkdump at gmail.com>: > Thank you very much Louis, Rowland, Mike ! > > I have made all the changes proposed by Louis but still have the same problem. > > -> kinit works now with /var/lib/samba/private/secrets.keytab > ------------------------ > ~# kinit -k -t /var/lib/samba/private/secrets.keytab FICHDC$ > ~# >