search for: krb5_config

...e are running samba version 3.0.25a and Heimdal 0.6.3 for kerberos. With 3.0.25a version of Samba, we observe that if we are attempting to join our primary domain in ADS mode and the Active Directory happens to be the closest DC, samba creates its own local private krb5 conf file and overrides the KRB5_CONFIG environment variable [create_local_private_krb5_conf_for_domain() is invoked from function ads_dc_name() in file libsmb/namequery_dc.c] Is there a specific reason for creating a custom krb5 conf file instead of using the default krb5 conf or the conf file specified in the environment variable KRB5...

...be made with ftp o scp, depending of the unix server) 4.2. Register the key in your unixmachine: /home1/kerberos5/sbin/ktutil ktutil: rkt /etc/krb5/unixmachine.keytab ktutil: wkt /etc/krb5/krb5.keytab ktutil: q 5. Configure some env vars:: KRB5_CONFIG=/etc/krb5/krb5.conf KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf DEFAULT_KEYTAB_NAME=/etc/krb5/krb5.keytab LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local: \ /usr/local/include:/usr/local/lib:/usr/lib/iconv export KRB5_CONFIG KRBR_KDC_PROFILE LD_LIBRARY_PATH \ DEFAULT_KEYTAB_NAME 6. Genera...

Hi all, I've got on AD DC using Samba 4.4.3 on Centos7 which accept Kerberos connections (kinit is working), which accept ldapsearch with credentials but which refuse ldapsearch with GSSAPI. The issue does not seem to be coming from the client as I discovered this issue writing a script to test all 22 DC, and all 21 others DC are working well from that client. The error: SASL/GSSAPI

Hi all, I'd like to perform some ldapsearch against my AD domain. And I'd like to be able to perform these ldapsearch using GSSAPI to avoid usage of password in scripts. DC are using default configuration file: ---------------------------------------- # Global parameters [global] workgroup = SAMBA.DOMAIN realm = SAMBA.DOMAIN.TLD netbios name = M707 server

...haviour. To test each DC we just have to replace ldap://SAMBA.DOMAIN.TLD by ldap://DC1.SAMBA.DOMAIN.TLD, then ldap://DC2.SAMBA.DOMAIN.TLD... To test Kerberos we need to use a dedicated Kerberos configuration file (by default it's /eetc/krb5.conf). To do that we have to set environment variable KRB5_CONFIG: export KRB5_CONFIG=/path/to/krb5.DC1.conf And in /path/to/krb5.DC1.conf: ---------------------------------------- [libdefaults] default_realm = SAMBA.DOMAIN.TLD rdns_lookup_realm = false rdns_lookup_kdc = false dns_lookup_realm = false dns_lookup_kdc = fals...

...we just have to replace ldap://SAMBA.DOMAIN.TLD > by ldap://DC1.SAMBA.DOMAIN.TLD, then ldap://DC2.SAMBA.DOMAIN.TLD... > > To test Kerberos we need to use a dedicated Kerberos configuration file > (by default it's /eetc/krb5.conf). To do that we have to set environment > variable KRB5_CONFIG: > export KRB5_CONFIG=/path/to/krb5.DC1.conf > > And in /path/to/krb5.DC1.conf: > ---------------------------------------- > [libdefaults] > default_realm = SAMBA.DOMAIN.TLD > rdns_lookup_realm = false > rdns_lookup_kdc = false > dns_lookup...

...sting following a working kinit) from any host but it works when launched from the non-working-server kinit -k -t administrator.keytab administrator ldapsearch -Y GSSAPI -b 'dc=ad,dc=domain,dc=tld' -h dc106 sAMAccountName=administrator dn -d256 - kinit works from any tested host (exporting KRB5_CONFIG variable to point to a krb5.conf forcing usage of my non-working-server) with config containing: [libdefaults] default_realm = AD.DOMAIN.TLD [realms] AD.DOMAIN.TLD = { kdc = 10.11.12.13 } 2016-06-07 15:29 GMT+02:00 mathias dufresne <infractory at gmail.com>...

...;> dns_lookup_kdc = true > >> krb4_config = /etc/krb.conf > >> krb4_realms = /etc/krb.realms > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > You can remove the krb4_ stuff > > > krb5_config = /etc/krb5.conf > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > You don't necessarely require that. > > >> kdc_timesync = 1 > >> ccache_type = 4 > >> forwardable = true >...

...om ldb_tdb.h. * BUG 9609: ldb: Change ltdb_unpack_data to take an ldb_context. * BUG 9610: dsdb: Make secrets_tdb_sync cope with -H secrets.ldb. o Bj?rn Baumbach <bb at sernet.de> * BUG 9512: wafsamba: Use additional xml catalog file. * BUG 9517: samba_dnsupdate: Set KRB5_CONFIG for nsupdate command. * BUG 9552: smb.conf(5): Update list of available protocols. * BUG 9568: Add dbwrap_tool.1 manual page. * BUG 9569: ntlm_auth(1): Fix format and make examples visible. o Ira Cooper <ira at samba.org> * BUG 9575: Duplicate flags defined in the winbindd...

...om ldb_tdb.h. * BUG 9609: ldb: Change ltdb_unpack_data to take an ldb_context. * BUG 9610: dsdb: Make secrets_tdb_sync cope with -H secrets.ldb. o Bj?rn Baumbach <bb at sernet.de> * BUG 9512: wafsamba: Use additional xml catalog file. * BUG 9517: samba_dnsupdate: Set KRB5_CONFIG for nsupdate command. * BUG 9552: smb.conf(5): Update list of available protocols. * BUG 9568: Add dbwrap_tool.1 manual page. * BUG 9569: ntlm_auth(1): Fix format and make examples visible. o Ira Cooper <ira at samba.org> * BUG 9575: Duplicate flags defined in the winbindd...

...it) from any host but it works when launched from the > non-working-server > kinit -k -t administrator.keytab administrator > ldapsearch -Y GSSAPI -b 'dc=ad,dc=domain,dc=tld' -h dc106 > sAMAccountName=administrator dn -d256 > > - kinit works from any tested host (exporting KRB5_CONFIG variable to > point to a krb5.conf forcing usage of my non-working-server) > with config containing: > [libdefaults] > default_realm = AD.DOMAIN.TLD > > [realms] > AD.DOMAIN.TLD = { > kdc = 10.11.12.13 > } > > > > 2016-06-07 15:...

...krb4_config = /etc/krb.conf > > > >> krb4_realms = /etc/krb.realms > > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > > > You can remove the krb4_ stuff > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > > You don't necessarely require that. > > > > > > >> kdc_timesync = 1 > > > >> cc...

...= /etc/krb.conf >>>>>> krb4_realms = /etc/krb.realms >>>>> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: >>>> >>>> You can remove the krb4_ stuff >>>> >>>>> krb5_config = /etc/krb5.conf >>>>> >>>>> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? >>>> You don't necessarely require that. >>>> >>>>>> kdc_timesync = 1 >>>>>>...

On 27.06.2016 07:31, Mark Foley wrote: > Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying > you've not actually tried NTLM yourself, right? I've never gotten a response from someone > saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be > the problem, but email clients I've tried

...> >> krb4_realms = /etc/krb.realms > > > > > Here, you have krb4_*. Do you mean that? My config file is > krb5.conf. Should I rather have: > > > > > > > > You can remove the krb4_ stuff > > > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what > should be in there? > > > > You don't necessarely require that. > > > > > > > > >> kdc_timesync = 1 >...

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

Hi, I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux member servers with my PDC being offline (plugged the cable). It is not working so well. On Windows it initially takes forever. It works again after rebooting the client, which seems to be the easiest solution (can be performed by the user). On Linux member servers, ssh log-in eventually times out. It works again,

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

...e "bin/python/samba/netcmd/domain.py", line 689, in run machinepass=machinepass) Join failed NSS_WRAPPER_HOSTS='/home/user/src/samba-git/samba/st/hosts' SOCKET_WRAPPER_DEFAULT_IFACE="23" RESOLV_WRAPPER_HOSTS="/home/user/src/samba-git/samba/st/dns_host_file" KRB5_CONFIG="/home/user/src/samba-git/samba/st/s4member/etc/krb5.conf" KRB5CCNAME="/home/user/src/samba-git/samba/st/s4member/krb5_ccache" RESOLV_CONF="/home/user/src/samba-git/samba/st/dns_hub/rootdnsforwarder/resolv.conf" python3 ./bin/samba-tool domain join --configfile=/home/u...

Thanks for the reply, Besides the problem with source4/lib/messaging/messaging_handlers.c, Good to hear that selftest is actively used, then do I understand it right that 'make test' should succeed? My bigger problem is that it failed with lots of errors. This must be a problem with my build, then, but since this is a fresh tarball I am a bit puzzled. I would appreciate some hint on