search for: krb5_ccname

...dap for unix host accounts, I understand the credentials cache should be initiated by an external program (cron and startup script), at least with the TGT and maybe the TGS for ldap. Since usually kerberosv5 cache is based on the user id ( /tmp/krb5cc_0 for root) there's an option in ldap.conf (krb5_ccname) to set the filename (/etc/.ldapcache in nss_ldap tutorials) for this cache. Is there any way to do this with dovecot-ldap.conf or should I try to use "auth user" default cache filename ? Thanks in advance

Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt I have added the host principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the client by using ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keytab. "hostname...

...rPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group uniqueMember member #map group gidNumber gid #sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Thanks Steve

...p passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID map group member member # Kerberos #sasl_mech GSSAPI #sasl_realm CORP.OFLAMEO.COM #krb5_ccname /tmp/nslcd.tkt # The LDAP protocol version to use. #ldap_version 3 # LDAP bind (Account in AD that is used from nslcd to bind to the directory) binddn cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com bindpw icanread33# # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=...

I'm about ready to smash my head through a wall...I could use a few answers. 1. When using security = ads, and completing net ads join, it was my understanding that samba authenticated username/pword against ads, and local posix accounts were nolonger needed, is this true? 2. If yes, I have not been able to get it to work. If I have a posix user account with the same name as one in

...uid nslcd gid nslcd uri ldap://serveur.radiodjiido.nc base DC=radiodjiido,DC=nc map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID sasl_mech GSSAPI sasl_realm RADIODJIIDO.NC krb5_ccname /tmp/nslcd.tkt checking that k5start is well running: ps ax | grep k5 -> 2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt klist -> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700 Default principal: serveur at RADIODJIIDO.NC Valid starting...

...Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2 The call is from here: base dc=hh3,dc=site map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 There is a ticket cache in /tmp/krb5cc_0 A conventional bind works fine. Thanks, Steve

Hi After starting Samba 4, before anyone can do anything, Administrator has to do a kinit to get a new ticket. This creates a cache /tmp/krb5cc_0 with an expiry time. I've created a host principal and put it into the keytab: samba-tool spn add host someuser samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE How can I keep Samba 4 up without having to get a new

Hello guys I need some lights to migrate a Winbind/Samba share to a new AD. My scenario is: I have an old AD running on a Debian 9 and Samba 4.5.16 with many replication issues. Then I decided to create a new one from the scratch using Debian 10 and Samba 4.12.2 (and everything is working perfectly). I have migrated all the accounts/machines/etc from old to new domain without any problem. Both the

...ation at which the LDAP server(s) should be reachable. uri???????????? ldap://dc1.samdom.example.com/ base??????????? dc=samdom,dc=example,dc=com pagesize??????? 1000 referrals?????? off nss_nested_groups yes # Kerberos authentication to AD sasl_mech?????? GSSAPI sasl_realm????? SAMDOM.EXAMPLE.COM krb5_ccname???? /tmp/nslcd.tkt # Filters. Disable, if your: filter? passwd? (objectClass=user) filter? group?? (objectClass=group) # Attribute mappings map???? passwd? uid??????????????? sAMAccountName map???? passwd? homeDirectory????? unixHomeDirectory map???? passwd? gecos????????????? displayName # Uncom...

Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase

Hi all, i've got samba 3.6 joined to a ad domain (s4 in this case) running winbind all looks ok, but i ran into a problem (for us that is) i've got 2 groups (students and employes) who have there home dirs in 2 different places. /home/students/<user> /home/employ/<user> so far so good, but i can't make the [homes] work for both of them (just 1 group) in winbind

...able. > uri ldap://dc1.samdom.example.com/ > base dc=samdom,dc=example,dc=com > pagesize 1000 > referrals off > nss_nested_groups yes > > # Kerberos authentication to AD > sasl_mech GSSAPI > sasl_realm SAMDOM.EXAMPLE.COM > krb5_ccname /tmp/nslcd.tkt > > # Filters. Disable, if your: > filter passwd (objectClass=user) > filter group (objectClass=group) > > # Attribute mappings > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map pas...

Hello All, I am currently changing my samba linux clients (Debian) from sssd binding to winbind. With sssd I had all sudo rules within the samba active directory. The configuration was based on: https://lists.samba.org/archive/samba/2016-April/199402.html Is there some guideline like the one mentioned available/has someone already experience with this for winbind based clients? Within the

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for

...mechanism was > requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2 > > The call is from here: > > base dc=hh3,dc=site > map passwd uid samAccountName > map passwd homeDirectory unixHomeDirectory > sasl_mech GSSAPI > sasl_realm HH3.SITE > krb5_ccname /tmp/krb5cc_0 > > There is a ticket cache in /tmp/krb5cc_0 > > A conventional bind works fine. > Thanks, > Steve > > > > ---------- Forwarded message ---------- > From: Matthieu Patou <mat at samba.org> > To: samba at lists.samba.org, "Lars M?ller&quot...

...man ciphers for syntax tls_ciphers HIGH:MEDIUM:SSLv2 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 (END)

Is it at all possible to do a graphical netinstall ? I am using centos 5.2, and i have been doing net installs (pxe) for a while in console mode... -- Test <test at remedial-teacher.nl>

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 uri ldap://centserver.abc.com:389/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 12.authconfig-tui Mark at the...