search for: k5start

Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase

...add the credentials to the root only readable file nslcd.conf. Done Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. This is all done only once.). But then, if I understand it right, I need something that renews the kerberos ticket from time to time. In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) So currently I don't see what are the advantages of Kerberos and in which way it should be easier or anything else. :-) Maybe someone can...

...beros ticket, or perhaps (for certain special hosts) brining up some ppp network route or whatever. But actually "just" starting something before ssh isn't the only thing I'd wish: My thinking goes also into "wrapping" another command around ssh, mainly something like k5start[1] or krenew[1], which would greatly simply connecting to hosts from different(!) realms. I'm not sure though, how easy the later can be done,... If it would work, one might need to take security implications into account, especially when this is used together with control channel multiplexi...

...ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keytab. "hostname -f" gives me the fully qualified domain name for the client. If I restart the nslcd service, I get the following error on the client: * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database On the samba4 server side, in the /var/log/samba/log.samba file, I get following errors: Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:34456 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Ke...

...ts.samba.org/archive/samba/2016-April/199402.html Is there some guideline like the one mentioned available/has someone already experience with this for winbind based clients? Within the conversation I found that Rowland was trying to setup something like this but seemed to have problems with "k5start". Well, I still have problems with the basics since based on https://manpages.debian.org/stretch/sudo-ldap/sudoers.ldap.5.en.html I need to configure /etc/nsswitch.conf. I decided for test to just keep "*sudoers: ldap*" As soon as I change this I recieve the following error (based on...

I joined a machine. net ads testjoin says OK. The join exported a keytab, which among others contains MACHINE$@REALM. However, trying k5start I get "Client not found in Kerberos database". Also kinit -t /etc/krb5.keytab MACHINE\$@REALM claims that the client was not found. But then, how did it come into the keytab? Is there a tool to list the principals in AD? Kind regards, - lars.

...diodjiido.nc base DC=radiodjiido,DC=nc map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID sasl_mech GSSAPI sasl_realm RADIODJIIDO.NC krb5_ccname /tmp/nslcd.tkt checking that k5start is well running: ps ax | grep k5 -> 2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt klist -> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700 Default principal: serveur at RADIODJIIDO.NC Valid starting Expires Service princi...

...ap. > > You need to speak to Louis van Belle about squid, he is the expert. Everything its ok with the squid for the time being... im using kerberos only. I don't understand your problem with winbind, if you do use nslcd, you will have to configure smb.conf, the nslcd conf file and run k5start to ensure that kerberos refreshes tickets. If yo> er with nslcd ? Just what does nslcd give you that winbind doesn't ? I should also point out that nslcd isn't supported by Samba. > > I have several barebone systems with the minimum of hardrive, ram, and utilities on the SO. Ever...

Hi all *Context:* I'm trying to use the s4bind scripts ( http://linuxcostablanca.blogspot.com.es/p/s4bind.html) k5start is running So far, i've succeeded in * modifying (posixifying) the built-in "Domain Users" * adding a user to this group and i can login with this user (ssh), create files that are correctly owned, etc... The user also shows up correcly in ADUC. * retrieving user and group info (for...

Hi all. I have the following setup: 1st dc is on CentOS 6 with Sernet samba 4.1.13 2nd dc is on Debian 7 with Sernet samba 4.1.13 The 2 dc work as expected. on CentOS I was able to configure sssd to work on Debian I'm using winbind Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS repository. This system serves as a file server and works ok with samba, but I have a

On Sat, 1 Jul 2017 16:30:25 +0100, Rowland Penny via samba wrote: > On Sat, 01 Jul 2017 11:48:21 -0300 > Guido Lorenzutti via samba wrote: > >> Hi there! I been using samba3 with ldap for years, and now im about to move to samba4 to leave the slapd. > > I take it you mean that you use Samba as an AD DC Exactly. >> I didnt try yet to migrate the directory from

The native authentication methods of openssh are (not counting insecure RhostsRSAAuthentication) 1) public key 2) password For users with home dirs in AFS space, method 1) does not work. Except with (non foolproof) fiddling on the access controls within the home directory. This might lead to security issues when done by inexperienced users. Without some work, only 2) remains. Being forced to send

...should be a way to use that > an ldapsearch, for example. And of course, > pam_ldap. You need to speak to Louis van Belle about squid, he is the expert. I don't understand your problem with winbind, if you do use nslcd, you will have to configure smb.conf, the nslcd conf file and run k5start to ensure that kerberos refreshes tickets. If you use winbind, you will just have to configure smb.conf. You have to configure smb.conf anyway, so why bother with nslcd ? Just what does nslcd give you that winbind doesn't ? I should also point out that nslcd isn't supported by Samba. What...

Has anyone here managed to get sudo working with Samba 4 AD users, using either ldap or sssd, with sssd preferred? If so, can you please point me in the direction of whatever instructions you used? It seems like there are a bunch of tutorials on the subject, each with different, and sometimes conflicting, information but none of those I've tried work for me. regards, John

...fails with some complaints I don't understand enough to find the root cause of all this troubles. 3) I clearly see, that this syndrome is way to unclear, to be pinpointed remotely. But I hope for advice on how to systematically debug the problem. I have installed nslcd and pam/winbind and k5start. I did rerun the tests I did during the last reinstall in March last year, and all these test for the auxiliary blocks seem to work. I have the impression that something is wrong with GSSAPI calls, and I also saw SPNEGO calls failing. But I don't have a clue on how to debug that. Maybe som...

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>> OK, you can get winbind to update your keytab, you need to alter your >>> smb.conf slightly. You need to change 'kerberos method = secrets >>> only' >>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>> = >>> system keytab' and add the line