search for: kdc

...to confirm) > > > > * When I try to modify folder permissions on the windows system, I get > > a message “Unable to contact Active Directory to access or verify > > claim types” > > > > * On DC2: kinit Administrator returns “kinit: Cannot contact any KDC > > for realm ‘samba.domain’ while getting initial credentials. This one > > was easy to fix by adding the domain to /etc/krb5.conf. I am putting > > this in as I changed configuration at this point.. > > > > * In an attempt to get Samba return DC2 as a nameserve...

Is there a mechanism migrate/import user principal information from an MIT KDC into a Samba4 internal KDC? We currently run our Active Directory users with Account Mappings that utilize a cross-realm trust between our MIT KDC (where user principals are maintained) and the Active Directory domain, as documented at *http://tinyurl.com/bx9znca* This works fine for our Windo...

...alms. Unidirectional or bidirectional trust relationships may be established between realms to allow the principals in one realm to recognize the authenticity of principals in another. These trust relationships may be transitive. An authentication path is the ordered list of realms (and therefore KDCs) that were involved in the authentication process. The authentication path is recorded in Kerberos tickets as the `transited' field. It is possible for the Key Distribution Center (KDC) of a realm to forge part or all of the `transited' field. KDCs should validate this field before acce...

...alms. Unidirectional or bidirectional trust relationships may be established between realms to allow the principals in one realm to recognize the authenticity of principals in another. These trust relationships may be transitive. An authentication path is the ordered list of realms (and therefore KDCs) that were involved in the authentication process. The authentication path is recorded in Kerberos tickets as the `transited' field. It is possible for the Key Distribution Center (KDC) of a realm to forge part or all of the `transited' field. KDCs should validate this field before acce...

...es van Vloten via samba In chel di` si favelave... > Solution is easy: upgrading winbind from Debian backports solves the issue ! I've upgraded to latest buster version 4.18.10+dfsg-1~buster, but still does not work for me... Now display: root at vfwacpn1:~# net ads changetrustpw get_kdc_ip_string: get_kdc_list fail NT_STATUS_NO_LOGON_SERVERS Changing password for principal: vfwacpn1$@AD.AC.CONCORDIA-PORDENONE.IT Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections....

...line for the other DC > joachim at dc1:~$ cat /etc/krb5.conf > [libdefaults] > default_realm = SAMBA.DOMAIN > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following encryption type specification will be used by MIT Kerberos > # if uncommented. In general, the defaults in the MIT Kerberos code are > # correct and overriding...

...ely with cached credentials, but don´t dare to change them to confirm) * When I try to modify folder permissions on the windows system, I get a message “Unable to contact Active Directory to access or verify claim types” * On DC2: kinit Administrator returns “kinit: Cannot contact any KDC for realm ‘samba.domain’ while getting initial credentials. This one was easy to fix by adding the domain to /etc/krb5.conf. I am putting this in as I changed configuration at this point.. * In an attempt to get Samba return DC2 as a nameserver I tried samba-tool dns add dc2 samba.domain @ N...

...hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters -------- /etc/resolv.conf search core.mydomain.hu nameserver 127.0.0.1 nameserver 10.10.10.1 -------- /etc/krb5.conf [libdefaults] default_realm = CORE.MYDOMAIN.HU dns_lookup_realm = false dns_lookup_kdc = true [realms] CORE.MYDOMAIN.HU = { kdc = OPEN-LDAP.CORE.MYDOMAIN.HU kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU } -------- /etc/samba/smb.conf # Global parameters [global] netbios name = OPEN-LDAP...

...nf for each realm it uses, and stores it in /run/samba/smb_krb5/krb5.conf.$REALM. Here's a typical such config in fully-automatic mode: libdefaults] default_realm = RGS.RU default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 dns_lookup_realm = false dns_lookup_kdc = true [realms] FOO.BAR = { kdc = 10.221.1.98 kdc = 10.53.1.100 kdc = 10.45.1.100 kdc = 10.59.1.100 } These are addresses of 4 DCs winbindd found in _ldap._tcp.dc._msdcs.FOO.BAR SRV records. However, if I specify custom /etc/samba/krb5.conf (why it does not use /etc/krb5.conf, btw?), t...

...e of reasoning that it is a Kerberos issue, I then tried to grab a new kerberos ticket on the server in question which appears to fail though. Perhaps this gives some further insight? pi at fs1:~ $ kinit administrator at samdom.example.com Password for administrator at samdom.example.com: kinit: KDC reply did not match expectations while getting initial credentials Thanks Stephen

...229    ad1.samdom.example.com ad1 192.168.1.228  ad2.samdom.example.com ad2 192.168.1.227    fs1.samdom.example.com fs1 pi at fs1:/var/log/apache2 $ cat /etc/krb5.conf [libdefaults]         default_realm = SAMDOM.EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos.         kdc_timesync = 1         ccache_type = 4         forwardable = true         proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented.  In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves...

On 09/12/15 17:03, James wrote: > On 12/9/2015 11:33 AM, Ole Traupe wrote: >> >>> - But when I try to ssh to a member server, it still takes forever, >>> and a 'kinit' on a member server gives this: >>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials" >>> >>> >>> My /etc/krb5.conf looks like this (following your suggestions, >>> Rowland, as everything else are defaults): >>> >>> [libdefaults] >>>...

...You would be better using the DCs ipaddress rather than '127.0.0.1'. You should also remove '10.10.0.1' it doesn't seem to be a DC. > > -------- > /etc/krb5.conf > [libdefaults] > default_realm = CORE.MYDOMAIN.HU > dns_lookup_realm = false > dns_lookup_kdc = true > You don't need the rest of the krb5.conf > [realms] > CORE.MYDOMAIN.HU = { > kdc = OPEN-LDAP.CORE.MYDOMAIN.HU > kdc = OPEN-LDAP2.CORE.MYDOMAIN.HU > admin_server = OPEN-LDAP.CORE.MYDOMAIN.HU > admin_server = OPEN-LDAP2.CORE.MYDOMAIN.HU >...

...ptions): --bundled-libraries=NONE --builtin-libraries=NONE I quickly removed both lines. The effect was that Samba now fails to compile complaining about tgt_use_strongest_session_key. I found this to be an issue of a patch applied by the Gentoo team: --- samba-4.2.3/source4/kdc/kdc.c +++ samba-4.2.3/source4/kdc/kdc.c @@ -967,9 +967,9 @@ * The old behavior in the _kdc_get_preferred_key() * function is use_strongest_server_key=TRUE. */ - kdc->config->as_use_strongest_session_key = false; + kdc->config->tgt_use_strongest_...

> - But when I try to ssh to a member server, it still takes forever, > and a 'kinit' on a member server gives this: > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials" > > > My /etc/krb5.conf looks like this (following your suggestions, > Rowland, as everything else are defaults): > > [libdefaults] > default_realm = MY.DOMAIN.TLD > > And my /etc/resolv.con...

...gt;> now. That is exactly what wee seeing, authentication works __after__ >>>> (from the second attempt on) the initial password sync is done, the >>>> first attempt isn't proxied. >>> >>> It should work, as long as you are using the internal Heimdal KDC, and >>> I thought we even had tests for that. The KDC propagates up a special >>> error code to the processing layer to say 'please proxy this packet to >>> a full DC' to trigger that >> >> We use the internal Heimdal KDC, and it doesn't work, at...

...ac-md5 # default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5 clockskew = 300 [2007/03/04 12:21:47, 5] libads/kerberos.c:get_service_ticket(367) get_service_ticket: krb5_get_credentials for BLANKENSHIP6$@BLANKENSHIP.LOCAL enctype 18 failed: KDC has no support for encryption type [2007/03/04 12:21:47, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(552) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2007/03/04 12:22:17, 5] libads/kerberos.c:get_service_ticket(367) get_ser...

Thanks, Unfortunately, I still got the same error. I may be wrong, but it is like it does the automatic lookup process of kdc instead of using the krb5.conf file. However, as per my note below, if I do add bad config info to the krb5.conf, it does complain. David David Shapiro Unix Team Lead 919-765-2011 >>> Dimitri Yioulos <dyioulos@firstbhph.com> 2/1/2006 10:15:49 AM >>> On Wednesday Feb...

...at dc1:~$ cat /etc/krb5.conf > > [libdefaults] > > default_realm = SAMBA.DOMAIN > > > > # The following krb5.conf variables are only for MIT Kerberos. > > krb4_config = /etc/krb.conf > > krb4_realms = /etc/krb.realms > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > > > # The following encryption type specification will be used by MIT Kerberos > > # if uncommented. In general, the defaults in the MIT Kerberos code are...

...o restart winbind. Also same problem with winds client that running 24x7. After few days i can not logged in. i think thats a problem with kerberos tickets. i have checks samba logs and found that samba member and windows client ask for new tickets and get new expiration. in my DCs i have set kdc:service ticket lifetime = 1 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 120 and Master krb5.conf looks [libdefaults] default_realm = HQ.KONTRAST dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 1d renew_lifetime = 5d [realms] HQ.KONTRAST = { kdc = vl0227....