search for: keytab2

On 05/11/2019 12:17, banda bassotti via samba wrote: > Luis, ok I'v removed everything, step 1: > > KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P I have said this once already, but, I will try again ;-) You are creating a keytab, which may or may not be called /etc/krb5.keytab2 > step2: > # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD > cifs/oldsamba.dom.corp at DOM.CORP > # KRB5_KTNAME=FILE:/...

...d = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) You run : net ads keytab cp /etc/krb5.keytab{,.backup} kinit Administrator KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P Verify this keytab. klist -ke /etc/krb5.keytab2 You want to see : host/NETBIOSNAME at DOM.CORP ( x5 ) host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) NETBIOSNAME$@DOM.CORP ( x5 ) This you see these.. Then run this to add the cifs keytab. KRB5_KTNAME=FILE:/etc/krb5....

...dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes ON THIS MEMBER... ( you dont run : samba-tool spn list ..... ) You run : net ads keytab cp /etc/krb5.keytab{,.backup} kinit Administrator KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P Verify this keytab. klist -ke /etc/krb5.keytab2 You want to see : host/NETBIOSNAME at DOM.CORP ( x5 ) host/fqdn.hostname.dom.tld at DOM.CORP ( x5 ) NETBIOSNAME$@DOM.CORP ( x5 ) This you see these.. Then run this to add the cifs keytab. KRB...

Hai, Nope.. To much again ;-) This is one step to much: step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP And why are you adding @REALM .. Do it exactly as shown below. Because a CNAME...

Hi, the problem seems to be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6750 I try therefore to set machine password timeout = 0 Il giorno mar 29 ott 2019 alle ore 11:11 Rowland penny via samba < samba at lists.samba.org> ha scritto: > On 29/10/2019 10:04, banda bassotti wrote: > > I had already done it: > > > > # samba-tool spn list

...the share location : usershare path = or use it or disabled it, now its?? you tell me.. ;-) . but beside above points your setup looks pretty good. @Rowland, This might help you understanding my responce on this one. > You are creating a keytab, which may or may not be called /etc/krb5.keytab2 ^^^^^^^^ was only used to not accidently destroy his old keytab file. But since its replaced anyway now. Ps, keytab name is not significant. What is significantis, what is set for : default_keytab_name in krb5.conf Which ofcourse defaults to FILE:/etc/krb5.keytab > > Failed to find cif...

...= > or use it or disabled it, now its?? you tell me.. ;-) . > > but beside above points your setup looks pretty good. > > @Rowland, > This might help you understanding my responce on this one. > > > You are creating a keytab, which may or may not be called > /etc/krb5.keytab2 > > ^^^^^^^^ was only used to not accidently destroy his old keytab file. > But since its replaced anyway now. > > Ps, keytab name is not significant. > What is significantis, what is set for : default_keytab_name in krb5.conf > Which ofcourse defaults to FILE:/etc/krb5.keytab...

Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5)...

...>>> >>> but beside above points your setup looks pretty good. >>> >>> @Rowland, >>> This might help you understanding my responce on this one. >>> >>> > You are creating a keytab, which may or may not be called >>> /etc/krb5.keytab2 >>> >>> ^^^^^^^^ was only used to not accidently destroy his old keytab file. >>> But since its replaced anyway now. >>> >>> Ps, keytab name is not significant. >>> What is significantis, what is set for : default_keytab_name in >>> krb...

...some old list mails. (somehere 2012) > > Which ofcourse defaults to FILE:/etc/krb5.keytab > I was trying show that a keytab was being created but not used. Ahh.. And i created a keytab for him that did not overwrite his original keytab.. And in the other mails you missed the mv /etc/krb5.keytab2 /etc/krb5.keytab ;-) > > > > > >>> Failed to find cifs/oldsamba at DOM.CORP(kvno 113) in keytab > >>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > >> Then something reads the keytab in memory and cannot find the > >> required SPN, or to put...

...there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that wil...

...there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that wil...

...there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that wil...

...there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that wil...

...there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that wil...

...there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that wil...