search for: kdcs

I was told recently that Kerberos authentication won't work against a non-windows KDC. Is that accurate? So for instance, it is not possible for Samba running on say RHEL, to authenticate against a Linux server running MIT Kerberos? Additionally, many people said that setting this up was well-documented. Any suggestions of particularly good docs / how-to's?' And lastly, is

...is. With MIT krb5, this is completely unnecessary, and actually detrimental. All ADS domains will automatically create SRV records in the DNS zone _kerberos.REALM.NAME for each KDC in the realm. MIT's krb5 libraries default to checking for these records, so they will automatically find the KDCs. In addition, krb5.conf only allows specifying a _single_ KDC, even there if there is more than one. Using the DNS lookup allows the krb5 libraries to use whichever KDCs are available. I can't speak to the Heimdal implementation as I've never seen it, but I'd suggest modifying the H...

...our Windows clients, but it does cause some headaches for software and some clients that expect to find username/password information in Active Directory. Using the MIT KDC as the KDC for the Samba4 ADS controller would be fine, or some mechanism to sync user principal information between the KDCs should do what I'm looking for. Unfortunately, I'm not certain this functionality is feasible or even possible. John

Hi. As I said... I will bother you. :) I'm wondering if it's possible to make samba as a primary domain controller without having samba passwords, but instead using my two KDCs (MIT K5). Is it possible? What should I use in my smb.conf? The wonderful and less painful thing is samba authenticating via pam... but I don't know how... the documentation is quite misty. -- Sensei <mailto:senseiwa@tin.it> <icqnum:241572242> <msn-id:Se...

...9;net ads join' to join the active directory domain, so that creates it's krb5 file on the fly in /var/lib/samba/smb_krb5. The contents of the files on each server is almost the same -- it is the same information (including capitalization -- you are right on that!) but the order of the KDCs is different. I changed the order to make sure that is not the issue and confirmed that the behavior is the same. I wonder if the package compilation invokes substantially different options for this behavior? I don't know how to tell what configure options are used by the package creators...

...n building a single-sign-on environment (hopefully). We just brought our first set of Windows-based PCs in, and would like to integrate them into our existing Linux/MacOS X environment. We are currently running MIT Kerberos, and would like to create a Samba PDC which authenticates against these KDCs. Another parallel project is to migrate to OpenLDAP. I haven't found a lot of documentation regarding Samba, LDAP, *and* kerberos. It seems the LDAP information is there, but the krb5 stuff hasn't been addressed as well. Can someone provide pointers to any existing docs on using Sam...

Hello, After each reboot, my Samba AD member server lost domain join after reboot, I have to re-enter the server in the domain with the "net ads join -U administrator". I use version 4.4.3 of samba. The domain controller is a Samba AD server. After reboot, when I exectute "net ads testjoin" I have: kerberos_kinit_password SMB2$@AD.SAMDOM.LOCAL failed: failed

...4.2 sitename_fetch: Returning sitename for AD.SAMDOM.LOCAL: "Default-First-Site-Name" saf_fetch[join]: Returning "dc2.ad.SAMDOM.local" for "AD.SAMDOM.LOCAL" domain get_dc_list: preferred server list: "dc2.ad.SAMDOM.local, *" resolve_ads: Attempting to resolve KDCs for AD.SAMDOM.LOCAL using DNS ads_dns_lookup_srv: 2 records returned in the answer section. Adding 2 DC's from auto lookup sitename_fetch: Returning sitename for AD.SAMDOM.LOCAL: "Default-First-Site-Name" name dc2.ad.SAMDOM.local#20 found. check_negative_conn_cache returning result 0...

...pecting having 50+ + computers logging in the windows domain, many different users. Servers will be just unix (linux mainly, and aix/bsd for experiments only) The underlying structure is really simple. All clients (aix, bsd, linux, macosx) are authenticating over our kerberos realm (linux kdcs). User informations are on ldap (home, shell, gid, uid, additional gids...), no password since ldap uses kerberos via gssapi. File serving is provided by AFS. All users have their home in /afs/ cell.name/users/INITIAL/username, no local users. It works perfectly. Now, I'd like to add wind...

...refore deploy large numbers of identical systems, that number will increase significantly. So far, we''re only running a handful of production systems via Puppet; most of the systems currently in Puppet are test/dev systems. We will, however, begin managing some of our production Kerberos KDCs using Puppet this coming weekend. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>

...ealm = <EXAMPLE.COM>, domain = .JOIN saf_fetch: failed to find server for "<EXAMPLE.COM>" domain get_dc_list: preferred server list: ", *" internal_resolve_name: looking up <EXAMPLE.COM>#dcdc (sitename Default-First-Site-Name) resolve_ads: Attempting to resolve KDCs for <EXAMPLE.COM> using DNS ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed hera.<example.com> [0, 100, 88] ads_dns_parse_rr_srv: Parsed zeus.<example.com> [0, 100, 88] remove_duplicate_addrs2: looking for duplicate address/port pairs int...

...alms. Unidirectional or bidirectional trust relationships may be established between realms to allow the principals in one realm to recognize the authenticity of principals in another. These trust relationships may be transitive. An authentication path is the ordered list of realms (and therefore KDCs) that were involved in the authentication process. The authentication path is recorded in Kerberos tickets as the `transited' field. It is possible for the Key Distribution Center (KDC) of a realm to forge part or all of the `transited' field. KDCs should validate this field before accep...

...alms. Unidirectional or bidirectional trust relationships may be established between realms to allow the principals in one realm to recognize the authenticity of principals in another. These trust relationships may be transitive. An authentication path is the ordered list of realms (and therefore KDCs) that were involved in the authentication process. The authentication path is recorded in Kerberos tickets as the `transited' field. It is possible for the Key Distribution Center (KDC) of a realm to forge part or all of the `transited' field. KDCs should validate this field before accep...

...t;Verzonden: vrijdag 14 augustus 2015 8:58 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] winbind_krb5_locator usage > >Hello, > >i investigated further and found out that other member servers >do honor their AD sites. > >It is just that one machine that has both KDCs in it's >"/var/cache/samba/smb_krb5 exists/ krb5.conf.INTRANET". > >I'm a bit puzzled... the smb.conf on this machine and on a >machine that works is 100% identical, only netbios names differ. > >Is there another way to control this behaviour? > >Greeting...

...rver 192.168.16.41 sitename_fetch: Returning sitename for realm 'domain.fqdn': "CAMPUS" saf_fetch: Returning "windc04.domain.fqdn" for "domain.fqdn" domain get_dc_list: preferred server list: "windc04.domain.fqdn, *" resolve_ads: Attempting to resolve KDCs for domain.fqdn using DNS ads_dns_lookup_srv: 3 records returned in the answer section. Adding 3 DC's from auto lookup sitename_fetch: Returning sitename for realm 'domain.fqdn': "CAMPUS" name windc04.domain.fqdn#20 found. check_negative_conn_cache returning result 0 for domai...

...s, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients. (Other resources: MITKRB5-SA-2004-002, CAN-2004-0642) VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free) The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when...

...main = > .JOIN > saf_fetch: failed to find server for "<EXAMPLE.COM>" domain > get_dc_list: preferred server list: ", *" > internal_resolve_name: looking up <EXAMPLE.COM>#dcdc (sitename > Default-First-Site-Name) > resolve_ads: Attempting to resolve KDCs for <EXAMPLE.COM> using DNS > ads_dns_lookup_srv: 2 records returned in the answer section. > ads_dns_parse_rr_srv: Parsed hera.<example.com> [0, 100, 88] > ads_dns_parse_rr_srv: Parsed zeus.<example.com> [0, 100, 88] > remove_duplicate_addrs2: looking for duplicate ad...

...ot; to perform a DNS lookup which are logged during my `net ads join` as `ads_dns_parse_rr_srv` messages. From the log, I can see Samba parsing numerous DCs, some local, some remote. internal_resolve_name: looking up example.domain.com#dcdc (sitename (null)) resolve_ads: Attempting to resolve KDCs for example.domain.com using DNS ads_dns_lookup_srv: 13 records returned in the answer section. ads_dns_parse_rr_srv: Parsed dc02.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote01-dc01.example.domain.com [0, 100, 88] ads_dns_parse_rr_srv: Parsed remote01-dc02.example.domain....

Hello, I have different Sites in my domain and want the different members to use the respective domain controller of their site. I can't get this to work right. I have a member that is in site B but executing "net ads info" outputs the DC of site A as active. I read about enabling "winbind_krb5_locator", but it is already located in

..."WIN-1LSRCE1UUM6.srv2008r2-1.esxi.soliton.local" for "srv2008r2-1.esxi.soliton.local" domain get_dc_list: preferred server list: "WIN-1LSRCE1UUM6.srv2008r2-1.esxi.soliton.local, *" no entry for srv2008r2-1.esxi.soliton.local#1C found. resolve_ads: Attempting to resolve KDCs for srv2008r2-1.esxi.soliton.local using DNS ads_dns_lookup_srv: 1 records returned in the answer section. sitename_fetch: Returning sitename for SRV2008R2-1.ESXI.SOLITON.LOCAL: "Default-First-Site-Name" no entry for WIN-1LSRCE1UUM6.srv2008r2-1.esxi.soliton.local#20 found. resolve_hosts:...