Displaying 18 results from an estimated 18 matches for "krb5_trace".
2014 Feb 20
0
samba4 success/failure report...all's working despite kerberized ssh
...te:
> > On Wed, Feb 19, 2014 at 11:50:59AM +0100, Sumit Bose wrote:
> > >
> > > This looks all good, the additional output after kdestroy is due to
the
> > > fact that the TGT must be requested here too.
> > >
> > > Can you run sshd on mail with KRB5_TRACE as well?
> > >
> > > bye,
> > > Sumit
> > >
> >
> > KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222
> >
> > I am sorry, this does not reveal any new messages...
> >
> > but I think kerberos authentication is active:
>...
2016 Jan 06
2
Authentication to Secondary Domain Controller initially fails when PDC is offline
...https://lists.samba.org/mailman/options/samba
>>
>>
>
>
Ole,
Sorry you are having so many issues. I've tried reading back
through this thread to verify everything that has been covered. Can you
try this command with the "PDC up and down? Reply with your findings.
KRB5_TRACE=/dev/stdout kinit administrator
--
-James
2018 Sep 22
1
Printing via SMB-Kerberos no longer works
Robert Schetterer wrote:
> Alex Persson wrote:
>> Robert Schetterer wrote:
>>> Alex Persson wrote:
>>>> After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb).
>>>>
>>>>
2018 Apr 14
3
smbclient kerberos auth fails
...s/foo.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
I've attached a network trace with SMB, DNS and kerberos traffic.
-------------- next part --------------
Adding KRB5_TRACE=/dev/stderr to the env I get:
KRB5_TRACE=/dev/stderr smbclient //foo.com/share -k
[14620] 1523708816.549070: Getting credentials aaptel at FOO.COM -> cifs/foo.com at FOO.COM using ccache DIR::/run/user/1000/krb5cc/tkt
[14620] 1523708816.549204: Retrieving aaptel at FOO.COM -> cifs/foo.com at...
2019 Dec 13
0
Samba AD Trust and Linux Clients Failing with Kerberos
...on SUB.DOMAIN.COM with an admin/user account from DOMAIN.COM with no issue.
Linux machines on SUB.DOMAIN.COM however, cannot access anything on DOMAIN.COM. Just trying to get a Kerberos ticket via kinit USER at DOMAIN.COM<mailto:USER at DOMAIN.COM> fails.
[root at client.SUB.DOMAIN.COM /]# KRB5_TRACE=/dev/stdout kinit user at DOMAIN.COM
[1221] 1576265136.982936: Getting initial credentials for user at DOMAIN.COM
[1221] 1576265136.982938: Sending unauthenticated request
[1221] 1576265136.982939: Sending request (196 bytes) to DOMAIN.COM
[1221] 1576265137.5412: Retrying AS request with master KDC...
2016 Jan 05
3
Authentication to Secondary Domain Controller initially fails when PDC is offline
For the member servers, to reduce timeouts etc when one DC is down.
Change your resolv.conf to :
domain internal.domain.tld
search internal.domain.tld
nameserver IP_DC1
nameserver IP_DC2
options timeout:2
options attempts:2
options rotate
options edns0
see man resolv.conf for the options explained.
Ow.. and ..
domain and search are NOT exclusive anymore in Debian Jessie and up.
At least,
2016 Jan 07
0
Authentication to Secondary Domain Controller initially fails when PDC is offline
...>>>
>> Ole,
>>
>> Sorry you are having so many issues. I've tried reading back
>> through this thread to verify everything that has been covered. Can you
>> try this command with the "PDC up and down? Reply with your findings.
>>
>> KRB5_TRACE=/dev/stdout kinit administrator
>>
>> --
>> -James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
2016 Jan 07
6
Authentication to Secondary Domain Controller initially fails when PDC is offline
...t;>
> >>
> >
> >
> Ole,
>
> Sorry you are having so many issues. I've tried reading back
> through this thread to verify everything that has been covered. Can you
> try this command with the "PDC up and down? Reply with your findings.
>
> KRB5_TRACE=/dev/stdout kinit administrator
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
2016 Jan 07
0
Authentication to Secondary Domain Controller initially fails when PDC is offline
>>
> Ole,
>
> Sorry you are having so many issues. I've tried reading back
> through this thread to verify everything that has been covered. Can
> you try this command with the "PDC up and down? Reply with your findings.
>
> KRB5_TRACE=/dev/stdout kinit administrator
>
up:
[25392] 1452162640.959713: Getting initial credentials for
administrator at my.domain.tld
[25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld
[25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld.
[25392] 1452162640.964554:...
2016 Dec 19
5
Problem with keytab: "Client not found in Kerberos database"
...from dgram
192.168.5.86:88
[17919] 1482170475.963784: Response was not from master KDC
[17919] 1482170475.963803: TGS request result: -1765328378/Client not
found in Kerberos database
But if I kinit with a real user, it works fine:
root at wrn-radtest:~# kinit brian
...
root at wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h
wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base
SASL/GSSAPI authentication started
SASL username: brian at AD.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=example,dc=net> wi...
2017 Nov 01
2
Winbind, Kerberos, SSH and Single Sign On
...ubdom2.subdom1.example.de is a
subdomain (bidirectional trust) of subdom1.example.de.
When I try to ssh to a client I'm getting the service ticket for the
client. But it still prompts the password question.
On the ssh-client side I'm getting the following SSH debug information:
...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Apply...
2017 Nov 01
0
Winbind, Kerberos, SSH and Single Sign On
...(bidirectional trust) of subdom1.example.de.
>
> When I try to ssh to a client I'm getting the service ticket for the
> client. But it still prompts the password question.
>
> On the ssh-client side I'm getting the following SSH debug
> information:
>
> ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
> OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
> debug1: Reading configuration data /home/user1/.ssh/config
> debug1: /home/user1/.ssh/config line 17: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/...
2017 Nov 02
2
Winbind, Kerberos, SSH and Single Sign On
...ubdom1.example.de.
>>
>> When I try to ssh to a client I'm getting the service ticket for the
>> client. But it still prompts the password question.
>>
>> On the ssh-client side I'm getting the following SSH debug
>> information:
>>
>> ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
>> OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
>> debug1: Reading configuration data /home/user1/.ssh/config
>> debug1: /home/user1/.ssh/config line 17: Applying options for *
>> debug1: Reading configuration data /etc/ssh/ssh_config
>&g...
2015 Jan 03
2
Samba4 Kerberos kinit does not resolve kdc hostname
...al.
Everything seems to be set up nice.
During Domain creation samba4 provides an krb5.conf file:
Code:
/etc/krb5.conf (provided by samba4)
[libdefaults]
default_realm = FAMILY.RAPSBERRY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
This results in:
Code:
# KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL
[6195] 1420299460.392810: Getting initial credentials for Administrator at FAMILY.RAPSBERRY.LOCAL
[6195] 1420299460.399120: Sending request (208 bytes) to FAMILY.RAPSBERRY.LOCAL
[6195] 1420299460.492736: Resolving hostname rasp.family.rapsbe...
2015 Jan 03
2
Samba4 Kerberos kinit does not resolve kdc hostname
...t;>
>> /etc/krb5.conf (provided by samba4)
>>
>> [libdefaults]
>> default_realm = FAMILY.RAPSBERRY.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> This results in:
>>
>> Code:
>>
>> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL
>> [6195] 1420299460.392810: Getting initial credentials for
>> Administrator at FAMILY.RAPSBERRY.LOCAL
>> [6195] 1420299460.399120: Sending request (208 bytes) to
>> FAMILY.RAPSBERRY.LOCAL
>> [6195] 142029946...
2015 Jan 03
1
Samba4 Kerberos kinit does not resolve kdc hostname
...ibdefaults]
>>>> default_realm = FAMILY.RAPSBERRY.LOCAL
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> This results in:
>>>>
>>>> Code:
>>>>
>>>> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL
>>>> [6195] 1420299460.392810: Getting initial credentials for
>>>> Administrator at FAMILY.RAPSBERRY.LOCAL
>>>> [6195] 1420299460.399120: Sending request (208 bytes) to
>>>> FAMILY.RAPSBERRY...
2015 Jan 03
0
Samba4 Kerberos kinit does not resolve kdc hostname
...amba4 provides an krb5.conf file:
>
> Code:
>
> /etc/krb5.conf (provided by samba4)
>
> [libdefaults]
> default_realm = FAMILY.RAPSBERRY.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> This results in:
>
> Code:
>
> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL
> [6195] 1420299460.392810: Getting initial credentials for
> Administrator at FAMILY.RAPSBERRY.LOCAL
> [6195] 1420299460.399120: Sending request (208 bytes) to
> FAMILY.RAPSBERRY.LOCAL
> [6195] 1420299460.492736: Resolving...
2015 Jan 03
0
Samba4 Kerberos kinit does not resolve kdc hostname
...samba4)
>>>
>>> [libdefaults]
>>> default_realm = FAMILY.RAPSBERRY.LOCAL
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> This results in:
>>>
>>> Code:
>>>
>>> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL
>>> [6195] 1420299460.392810: Getting initial credentials for
>>> Administrator at FAMILY.RAPSBERRY.LOCAL
>>> [6195] 1420299460.399120: Sending request (208 bytes) to
>>> FAMILY.RAPSBERRY.LOCAL
>>&...