search for: dns_lookup_kdc

...ive directory domain controller idmap_ldb:use rfc2307 = yes log level = 5 [netlogon] path = /var/lib/samba/sysvol/ad.dilken.eu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true default_realm = AD.DILKEN.EU smb.conf and krb5.conf on raspberry-pi: [libdefaults] default_realm = AD.DILKEN.EU dns_lookup_realm = true dns_lookup_kdc = true [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/l...

...edir /var/lib/sss/pubconf/krb5.include.d/ >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> [libdefaults] >> default_realm = DSDEV.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = true >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> [domain_realm] >> .dsdev = DSDEV.LOCAL >> dsdev = DSDEV.LOCAL >>...

Hi All Is this behaviour expected in smbclient: I have a kerberized Samba server and a share that works as expected on desktop clients, but when I use smbclient with a valid ticket with the -k flag I get a KDC lookup failure kev at client:/home/testuser$ smbclient -k -L //fileserver gss_init_sec_context failed with [ Miscellaneous failure (see text): unable to reach any KDC in realm LAN]

...cryption type ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad ~ encryption type) ~ Failed to verify incoming ticket! The only way I have been able to reproduce this locally using MIT 1.3.1 is by setting a list of permitted_enctypes in /etc/krb5.conf. For example, ~ [libdefaults] ~ dns_lookup_kdc = true ~ default_tgs_enctypes = des-cbc-md5 ~ default_tkt_enctypes = des-cbc-md5 ~ permitted_enctypes = des-cbc-md5 des-cbc-crc Commenting out the last line solved things in my tests. Usually I have a very minimal krb5.conf which works correctly. ~ [libdefaults] ~ dns_lookup_kdc = tru...

...find the > > KDC on its own DC. Have you checked /etc/krb5.conf, /etc/hosts > > and /etc/resolv.conf ? > > With the BIND server not running, and this krb5.conf: > > [libdefaults] > default_realm = SAMBA.IFA.NET > dns_lookup_realm = false > dns_lookup_kdc = true > ~ > > samba_dnsupdate cannot find the KDC. Even if I add: > > [realms] > SAMBA4.IFA.NET { > kdc= 172.31.0.10 > } > Well, I don't think you can find the KDC if the DNS server isn't running, you could try changing '...

...and get new expiration. > > in my DCs i have set > > kdc:service ticket lifetime = 1 > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 120 > > and Master krb5.conf looks > > [libdefaults] > default_realm = HQ.KONTRAST > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 1d > renew_lifetime = 5d > > [realms] > HQ.KONTRAST = { > kdc = vl0227.hq.kontrast > kdc = vl0230.hq.kontrast > kdc = pl0231.hq.kontrast > master_kdc = vl0227.hq.kontrast > admin_server = vl0227.hq.kon...

On 27.06.2018 15:17, Rowland Penny via samba wrote: > What is in /etc/krb5.conf ? > > Rowland > I think there is a Problem with krb5.conf Fileserver1 root at srv-031:~# cat /etc/krb5.conf [libdefaults] default_realm = DOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true root at srv-031:~# Fileserver with login Error root at srv-007:/var/log/samba# cat /etc/krb5.conf default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOM.EXAMPLE.COM dns_lookup_realm = false...

Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: ------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } }...

...ocalhost ip6-localhost ip6-loopback /etc/hosts:ff02::1 ip6-allnodes /etc/hosts:ff02::2 ip6-allrouters /etc/hosts:127.0.0.1 localhost /etc/hosts:192.168.16.214 villach-file /etc/krb5.conf:[libdefaults] /etc/krb5.conf: default_realm = AD.TAO.AT /etc/krb5.conf: dns_lookup_realm = true /etc/krb5.conf: dns_lookup_kdc = true /etc/krb5.conf: default_keytab_name = FILE:/etc/krb5.keytab /etc/krb5.conf:[domain_realm] /etc/krb5.conf: .ad.tao.at = AD.TAO.AT /etc/krb5.conf: ad.tao.at = AD.TAO.AT /etc/krb5.conf: .tao.at = AD.TAO.AT /etc/krb5.conf: tao.at = AD.TAO.AT /etc/resolv.conf:nameserver 192.168.16.1 /etc/resolv.c...

...mmunicate with another spoke. This is where the command would hang for 2 minutes and return the NT_STATUS_IO_TIMEOUT. I changed the krb5.conf on DC3 only (left the hub domain controllers as is) from : [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true to [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] AD.EXAMPLE.COM = { kdc = DC3.AD.EXAMPLE.COM admin_server = DC3.AD.EXAMPLE.COM default_domain = AD.E...

...t ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.34.4 ldap.example.com ldap sambaexample /etc/hostname dc000.example.com /etc/resolv.conf domain example.com search example.com nameserver 192.168.34.4 /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = false forwardable = true proxiable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5...

I'm trying to test Samba4 as an AD style pdc. following the instructions at http://wiki.samba.org/index.php/Samba4/HOWTO at step 9 I get root at pdc:~# kinit administrator at MYDOMAIN.COM kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting initial credentials root at pdc:~# and yet host -t SRV _kerberos._udp.mydomain.com gives _kerberos._udp.mydomain.com has

...st have working dns before the join. I have read your join howto and have the following comments, based on my experience. I would also install libpam_winbind and libpam_krb5 /etc/krb5.conf needs to be only this: [libdefaults] default_realm = MONDOMAINE.LAN dns_lookup_realm = false dns_lookup_kdc = true I would stop smbd, nmbd, winbind before the join I would run the join command like this: samba-tool domain join mondomaine.lan DC -U administrator --realm=MONDOMAINE.LAN -W MONDOMAINE --option='idmap_ldb:use rfc2307 = yes' --option='dns forwarder = 8.8.8.8' if you copy ne...

...ound that samba member and windows client ask for new tickets and get new expiration. in my DCs i have set kdc:service ticket lifetime = 1 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 120 and Master krb5.conf looks [libdefaults] default_realm = HQ.KONTRAST dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 1d renew_lifetime = 5d [realms] HQ.KONTRAST = { kdc = vl0227.hq.kontrast kdc = vl0230.hq.kontrast kdc = pl0231.hq.kontrast master_kdc = vl0227.hq.kontrast admin_server = vl0227.hq.kontrast } [domain_realm] .hq.kontrast = HQ.KONTRAST...

.../krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM # Utile ou pas ? default_realm = STUDELEC-SA.COM dns_lookup_kdc = true default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM

Hi Rowland, Also change on DCs to [libdefaults] default_realm = HQ.KONTRAST dns_lookup_realm = false dns_lookup_kdc = true ? I was used wiki article and there was listed for DC. the config i have post was only für vl0227 (my Master DC) all other Maschines have the config you prefer. OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany...

...se 6.6 (Final) [root at wdc samba]# cat /etc/resolv.conf search DOMAIN nameserver 172.16.5.22 nameserver 172.16.5.1 nameserver 8.8.8.8 [root at wdc samba]# samba -V Version 4.2.3 [root at wdc samba]# cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true DC 2: [root at bcd samba]# uname -a Linux bcd.senffnet 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root at bcd samba]# cat /etc/redhat-release CentOS release 6.6 (Final) [root at bcd samba]# cat /etc/resolv.conf search DOMAIN names...

...> > kerberos??? >> > >> > I don't know either! :( >> > >> > What is in /etc/krb5.conf ? >> > >> > >> > root at dc2:~# cat /etc/krb5.conf >> > [libdefaults] >> > dns_lookup_realm = false >> > dns_lookup_kdc = true >> > default_realm = CAMPUS.SERTAO.IFRS.EDU.BR >> > root at dc2:~# ls -laht /etc/krb5.conf >> > -rw-r--r-- 1 root bind 115 Dec 12 15:31 /etc/krb5.conf >> > >> > root at dc3:~# cat /etc/krb5.conf >> > [libdefaults] >> > dn...

...gt; log level = 5 > > [netlogon] > path = /var/lib/samba/sysvol/ad.dilken.eu/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [libdefaults] > dns_lookup_realm = true > dns_lookup_kdc = true > default_realm = AD.DILKEN.EU > > smb.conf and krb5.conf on raspberry-pi: > > [libdefaults] > default_realm = AD.DILKEN.EU > dns_lookup_realm = true > dns_lookup_kdc = true > > [logging] > kdc = FILE:/var/log/krb5kdc.log >...

The defaults for dns_lookup_realm and dns_lookup_kdc should be false and true respectively, but the samba team recommends using them explicitly, so that's what I do. My /etc/krb5.conf file doesn't include any of the stock lines included with the package from Ubuntu (which I believe is based on the MIT version of kerberos). My file includes...