search for: kerberised

Hi All, anyone else found that adding a Samba server to an AD domain appears to be incompatible with using an AD Kerberos realm to provide other Kerberised services such as NFS from the same UNIX host? Problem I have is that when you join an AD domain thorough Samba 3.x net command this creates a computer account in the AD to which the administrator does not know the account password. If you following MS guidelines for configuring other UNIX Kerberi...

...KrbMethodK5Passwd Off KrbServiceName HTTP KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Directory> chmod 400 /etc/httpd/conf/keytab chown www-data:www-data /etc/httpd/conf/keytab > In fact i'm stuck between my two problems (root acces to Kerberised NFS > share / www-data access to userdir into a Kerberised NFS share), > contrary to what I thought It's the root acces the more difficult to > resolve... This is because of your layout for your website. Now, your "abuseing" the user homedir, and normaly thats a private dir...

As Samba 3.x does not work with the Kerberos included with Solaris (it has no headers) I have to remove it and replace it with MIT kerberos. Does anyone know if Solaris kerberised services will still work normally (without modification) such as kerberised NFS? I briefly tested this and couldn't het it to work, but if someone has a definative answer it might save me a lot of trouble, thanks in advance, Andy. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachmen...

It's ok So, if I create a httpuser and an httpgroup in my AD and use these at owner and group for my apache2 daemon, this one could access to userdirs (while permissions granting it) ? But I need to cron 'kinit' to keep valid ticket... ? My local root user always can't access to the share, but my other problem seems to be resolved. Thanks Le 02/08/2016 à 16:37, Rowland

...ctory> > >>> chmod 400 /etc/httpd/conf/keytab > >>> chown www-data:www-data /etc/httpd/conf/keytab > >>> > >> That's exactly what I thought. I'll try this soon. > >>>> In fact i'm stuck between my two problems (root acces to Kerberised > NFS > >>>> share / www-data access to userdir into a Kerberised NFS share), > >>>> contrary to what I thought It's the root acces the more difficult to > >>>> resolve... > >>> This is because of your layout for your website. > &gt...

...require valid-user > > </Directory> > > chmod 400 /etc/httpd/conf/keytab > > chown www-data:www-data /etc/httpd/conf/keytab > > > That's exactly what I thought. I'll try this soon. > >> In fact i'm stuck between my two problems (root acces to Kerberised NFS > >> share / www-data access to userdir into a Kerberised NFS share), > >> contrary to what I thought It's the root acces the more difficult to > >> resolve... > > This is because of your layout for your website. > > Now, your "abuseing" the...

...memory: > > > > security=user > > > > use kerberos keytab = system keytab > > Thanks! Obviously there is no "net ads join" command, so  > anything to be done instead of that? You need a keytab for cifs/hostname just as you would for IMAP or some other kerberised service. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Hai Achim, Thank you for helping out a bit. Very welkom. For the 4.8.5 anything with winbind because there was a location change in the krb5_locator (Winbind krb5 locator, to usr/lib/*/krb5/plugins/winbind) ( was bugzilla nr 13489 ) Im deploying now a to my production, sofar i dont any seen problem. The where a lot of changes in the build, better safe then sorry.. Greetz, Louis

...e is password (and hence in an ADS environment its SPN password) every so often? If so is a consequence of this that any keytab created with net ads kytab will become out of date sooner or latter. Does use Kerberos keytab in smb.conf fix this? If not why might you use it? Should samba and the kerberised applications share a Kerberos entry or should I create a sepperate identity for the non-samba applications in AD and extract a key tab via ktpass.exe on the Windows side of things. Thanks for your help in advance Regards, RB

...e... After some research, I think I need to install mod_auth_krb5 to specify at least how to find this keytab (even if I don't need Apache authentication against Kerberos). I will try this today and comme back to say if it works ! In fact i'm stuck between my two problems (root acces to Kerberised NFS share / www-data access to userdir into a Kerberised NFS share), contrary to what I thought It's the root acces the more difficult to resolve... Thanks Rowland, Greetz, Bruno Le 02/08/2016 à 18:20, Rowland Penny a écrit : > On Tue, 2 Aug 2016 17:05:37 +0200 > Bruno MACADRÉ <b...

...rse negTokenTarg at offset 54 Started to wonder why this was happening, then read more about "security = domain" and found: "In order for this method to work, the Samba server needs to join the MS Windows NT security domain" Well, of course I don't have this. I have a kerberised samba solaris host using an OpenLDAP system as a PDC/KDC. How does one achieve "security = domain" in this circumstance? How does my samba server join the OpenLDAP "domain" per se? Thanks. JC

...> However, I need to find a way to take care of the > mapping after the domain user log in. You mean a domain users login on a linux member? I use CIFS/NFS auto mounting homedirs, i use NFSv4 (kerberized) and automounting currently. I'll make a small howto on howto setup the NFSv4 kerberised part, my current setup is stable and im can repeat it without problems. And as usual, it is pretty easy IF you know how. ;-) And is you "different gid/uid" problem also solved? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.sa...

Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service

Has anyone had any success using net ads join to create a new service principal and join Active Directory using samba 3.5.8. This works fine in 3.0.35 but I'm not able to get a working create/join with 3.5.8 In samba 3.0.35 (on a host which is already allowing kerberised loginsvia AD), the following works: net ads join createupn='CIFS/host.domain.com' \ createcomputer='path/to/principal/' -U myadlogin After upgrading and restarting, samba works fine but deleting the AD service principal and samba/private files to reconfigure, the net join fails:...

> > When I try to > > access even an already-mounted NFS directory to which I have permission, > > gssproxy complains: > > > > Jul 10 08:55:51 smb gssproxy: gssproxy[1469]: (OID: { 1 2 840 113554 1 2 > 2 > > }) Unspecified GSS failure. Minor code may provide more information, > > Client 'host/smb.soe.ucsc.edu at AD.SOE.UCSC.EDU' not found in

Hi Samba Users, I have Samba providing shares to several XP clients. The clients currently authenticate using private/smbpasswd. I do not have an Active Directory server nor any Windows servers. I also have an MIT KDC. Various services have been Kerberised including SSH (proper GSSAPI negotiation) and Apache (Basic auth). This is all functioning correctly. The Apache login and SSH logins from the XP clients obviously are not SSO. I want the Samba software to use Kerberos authentication as well. However it won't be possible for the XP clients to...

...t's more interesting > is that you CAN make Samba 4 from EL 7 work with FreeIPA for > authentication via NTLM AND Kerberos. I already have implemented this > using the stock Red Hat Packages and authentication works via FreeIPA > using both MS-RPC authentication in NTLM form and Kerberised > authentication. .... > This means that that never will be a samba-ad for redhat/centos. Then, if I as I understand the reply, with Centos7 + Samba 4 in old NT4 -DC mode + Kerberos + FreeIPA ( I do not know what it is FreeIPA) it's possible setup a Linux PDC working with all versions...

On Thu, 20 Apr 2017 07:32:16 -0600 (MDT) S P Arif Sahari Wibowo via samba <samba at lists.samba.org> wrote: > On 2017-04-20, 03:35, Andrew Bartlett via samba wrote: > > I think you really want to move to Samba as an AD DC. > > In that case, how can I setup a Samba AD DC which has its > authentication came from another non-AD Kerberos service? > Preferably in a

I agree that this sounds like, and indeed is, a recipe for disaster. I was going to explain some of the woes of our environment but I don't think it's actually relevant after looking at my problem a bit more. If I'm way off base I'm happy to be herded back, but please tolerate me as I share what I am seeing today because I really hope to solve the narrow issue of SMB file access

...rberos > server as the authentication source. > > Will this be possible? > > Can this be done without the MS Windows and macOS client have direct > access to the Kerberos server? > >> You need a keytab for cifs/hostname just as you would for IMAP or some >> other kerberised service. > > Do you know how this works in MS Windows / macOS? > There is a tutorial how to make a Kerberos server to be a samba server too. It is available at: http://www.danbishop.org/2015/01/30/ubuntu-14-04-ultimate-server-guide/8/