search for: exportkeytab

Am 20.12.2016 um 14:50 schrieb Brian Candler via samba: > (2) Can "net ads keytab create" be told to extract just a single named > principal? That would simplify things. But I can't see how to. > > As usual... clues gratefully received. samba-tool domain exportkeytab [keytabfile] --principal=[SPN or UPN] In your case samba-tool domain exportkeytab /etc/krb5.keytab --principal=WRN-RADTEST$

...rouble understanding the kerberos/principals layer. ------------ Actually I do ------------- -> on the server I create an nfs principal and export it to the keytab $ samba-tool user add nfs-myserver --random-password $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com /etc/krb5.keytab -> on the client I use the machine keytab. $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab With this setup all my domain users can write to the share. But when I try with the root account it use the machine keytab (th...

...omain.net @ MYDOMAIN.NET" in samba4's domain or in the server's /etc/krb5.keytab file? I have tried adding this principal to the /etc/krb5.keytab file using ktutil, but this error still pops up. I noticed that you can export a principal into a keytab file using "samba-tool domain exportkeytab" but how do you add the principal to the domain? Will adding the missing principal using "samba-tool spn" solve problems like these? According to https://help.ubuntu.com/community/SingleSignOn , you add a host to the kerberos realm by doing these two commands on the kerberos server...

Am 01.07.2016 um 23:52 schrieb Achim Gottinger: > Here is an simpler way to create an user with the imap principal and > the dovecot keymap > > ~# samba-tool user create dovecot > [Assign password] > ~# samba-tool spn add imap/server.domain.local dovecot > ~# samba-tool domain exportkeytab --principal dovecot at DOMAIN.LOCAL > dovecot.keytab If above line is replaced by ~# samba-tool domain exportkeytab --principal imap/server.domain.local dovecot.keytab It is working without auth_gssapi_hostname = "$ALL" again. To add the principal for smtp execute ~# samba-tool spn a...

...n settings needed were on the Samba side. I hope these instructions can eventually make it into: https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos as those instruction contain nothing about the required `samba-tool spn add` and samba-tool domain exportkeytab` settings, without which it is impossible to get Dovecot (and presumably other local authenticators needing GSSAPI/Kerberos) to authenticate. You need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. My distro (Slackware 14.1) does not come with kerberos, but is...

...kay, but once you start exporting the keytab to be used on the DC, > you > are doing something that Samba doesn't recommend, but I have thought > of > a way around this, phrase the page in the same way as the Apache page > on > the wiki. Rowland: Running samba-tool domain exportkeytab for a specific user is quite a reasonable thing to do, and is entirely sensible to recommand as part of adding a new user with an SPN. They keytab can then be deployed as required. Running the exportkeytab file is not the same as loading up the DC with other services. Not that this is a total d...

....domain1.tld >>>>>>>> >>>>>>>> Then, if I go to export the keytab as you have indicated above >>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>> >>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - >>>>>>>> Key table entry not found File >>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >&gt...

...ptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 root at dc2:~# rm dns.keytab rm: remove regular file 'dns.keytab'? y root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\ dns.keytab Export one principal to dns.keytab root at dc2:~# klist -ke dns.keytab Keytab name: FILE:dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 dns-dc2 at XXX (arcfour-hmac) 4 dns-dc2 at XXX (des-cbc-md5)...

...t;>>>>>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> samba-tool domain exportkeytab >>>>>>>>>>>>>>>>>>>> ~/intranet-macmini.keytab >>>>>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>&gt...

Am 29.04.2019 um 12:55 schrieb L.P.H. van Belle via samba: > Hai, > > Thats a strange one.. > >> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > Try this first. > sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2 Same result. Cheers, Christian > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Christian via samba >> Verzonden: maandag 29 april 2019 12:30...

>>> Thats a strange one.. >>> >>>> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": >>>> 31 (0x0000001f) >>> Try this first. >>> sudo samba-tool domain exportkeytab dns.keytab >>> --principal=dns-dc2 >> Same result. Cheers, >> > what is the output of 'samba-tool domain level show' root at dc1:~# samba-tool domain level show Domain and forest function level for domain 'DC=.....' Forest function level: (Windows) 2003 D...

...t;>>>> HTTP/intranet.domain2.domain1.tld >>>>>> >>>>>> Then, if I go to export the keytab as you have indicated above >>>>>> with —principal=HTTP/intranet it errors: >>>>>> >>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - >>>>>> Key table entry not found File >>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>> line 1...

...--- >> Actually I do >> ------------- >> >> -> on the server I create an nfs principal and export it to the keytab >> $ samba-tool user add nfs-myserver --random-password >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com >> /etc/krb5.keytab >> >> -> on the client I use the machine keytab. >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab >> >> With this setup all my domain users can write to the share. But when I &gt...

...gt;>>> above >>>>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>>>>> exception - >>>>>>>>>>>>>>>>...

...ntranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName: >> HTTP/intranet.domain2.domain1.tld >> >> Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors: >> >> samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet >> ERROR(runtime): uncaught exception - Key table entry not found >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run >> return self.run(*args, **kwargs) >> File "...

...; >> ------------- > >> > >> -> on the server I create an nfs principal and export it to the keytab > >> $ samba-tool user add nfs-myserver --random-password > >> $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > >> $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com > >> /etc/krb5.keytab > >> > >> -> on the client I use the machine keytab. > >> $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab > >> > >> With this setup all my domain users can writ...

...t;>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> samba-tool domain exportkeytab >>>>>>>>>>>>>>>>>>>>>> ~/intranet-macmini.keytab >>>>>>>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>&gt...

Hi! I maintain Linux servers that are members of a Samba4 Domain. User authentication / login via ssh works fine with Kerberos. But: only via one hostname. Those machines need a working Kerberos login via multiple hostnames (each hostname has its own IP address and DNS is set up correctly.) "net ads keytab list" of course gives me the main hostname that was in use when joining the

...layer. > > ------------ > Actually I do > ------------- > > -> on the server I create an nfs principal and export it to the keytab > $ samba-tool user add nfs-myserver --random-password > $ samba-tool spn add nfs/myserver.samdom.com nfs-myserver > $ samba-tool domain exportkeytab --principal=nfs/myserver.samdom.com > /etc/krb5.keytab > > -> on the client I use the machine keytab. > $ samba-tool domain exportkeytab --principal=MYCLIENT$ /etc/krb5.keytab > > With this setup all my domain users can write to the share. But when I > try with the root ac...

...in1.tld > >>>>>>> > >>>>>>> Then, if I go to export the keytab as you have indicated above > >>>>>>> with —principal=HTTP/intranet it errors: > >>>>>>> > >>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab > >>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - > >>>>>>> Key table entry not found File > >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >...