search for: krb5_trace

...te: > > On Wed, Feb 19, 2014 at 11:50:59AM +0100, Sumit Bose wrote: > > > > > > This looks all good, the additional output after kdestroy is due to the > > > fact that the TGT must be requested here too. > > > > > > Can you run sshd on mail with KRB5_TRACE as well? > > > > > > bye, > > > Sumit > > > > > > > KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222 > > > > I am sorry, this does not reveal any new messages... > > > > but I think kerberos authentication is active: &gt...

...https://lists.samba.org/mailman/options/samba >> >> > > Ole, Sorry you are having so many issues. I've tried reading back through this thread to verify everything that has been covered. Can you try this command with the "PDC up and down? Reply with your findings. KRB5_TRACE=/dev/stdout kinit administrator -- -James

Robert Schetterer wrote: > Alex Persson wrote: >> Robert Schetterer wrote: >>> Alex Persson wrote: >>>> After upgrading from Ubuntu 16.04 to 18.04 printing via SMB-Kerberos no longer works (printing still works in 18.04 when I print via SMB but I don't want to have the password stored in clear text in /usr/lib/cups/backend/smb). >>>> >>>>

...s/foo.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER I've attached a network trace with SMB, DNS and kerberos traffic. -------------- next part -------------- Adding KRB5_TRACE=/dev/stderr to the env I get: KRB5_TRACE=/dev/stderr smbclient //foo.com/share -k [14620] 1523708816.549070: Getting credentials aaptel at FOO.COM -> cifs/foo.com at FOO.COM using ccache DIR::/run/user/1000/krb5cc/tkt [14620] 1523708816.549204: Retrieving aaptel at FOO.COM -> cifs/foo.com at...

...on SUB.DOMAIN.COM with an admin/user account from DOMAIN.COM with no issue. Linux machines on SUB.DOMAIN.COM however, cannot access anything on DOMAIN.COM. Just trying to get a Kerberos ticket via kinit USER at DOMAIN.COM<mailto:USER at DOMAIN.COM> fails. [root at client.SUB.DOMAIN.COM /]# KRB5_TRACE=/dev/stdout kinit user at DOMAIN.COM [1221] 1576265136.982936: Getting initial credentials for user at DOMAIN.COM [1221] 1576265136.982938: Sending unauthenticated request [1221] 1576265136.982939: Sending request (196 bytes) to DOMAIN.COM [1221] 1576265137.5412: Retrying AS request with master KDC...

For the member servers, to reduce timeouts etc when one DC is down. Change your resolv.conf to : domain internal.domain.tld search internal.domain.tld nameserver IP_DC1 nameserver IP_DC2 options timeout:2 options attempts:2 options rotate options edns0 see man resolv.conf for the options explained. Ow.. and .. domain and search are NOT exclusive anymore in Debian Jessie and up. At least,

...>>> >> Ole, >> >> Sorry you are having so many issues. I've tried reading back >> through this thread to verify everything that has been covered. Can you >> try this command with the "PDC up and down? Reply with your findings. >> >> KRB5_TRACE=/dev/stdout kinit administrator >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >

...t;> > >> > > > > > Ole, > > Sorry you are having so many issues. I've tried reading back > through this thread to verify everything that has been covered. Can you > try this command with the "PDC up and down? Reply with your findings. > > KRB5_TRACE=/dev/stdout kinit administrator > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba

>> > Ole, > > Sorry you are having so many issues. I've tried reading back > through this thread to verify everything that has been covered. Can > you try this command with the "PDC up and down? Reply with your findings. > > KRB5_TRACE=/dev/stdout kinit administrator > up: [25392] 1452162640.959713: Getting initial credentials for administrator at my.domain.tld [25392] 1452162640.960294: Sending request (196 bytes) to my.domain.tld [25392] 1452162640.963005: Resolving hostname dc2.my.domain.tld. [25392] 1452162640.964554:...

...from dgram 192.168.5.86:88 [17919] 1482170475.963784: Response was not from master KDC [17919] 1482170475.963803: TGS request result: -1765328378/Client not found in Kerberos database But if I kinit with a real user, it works fine: root at wrn-radtest:~# kinit brian ... root at wrn-radtest:~# KRB5_TRACE=/tmp/trace.out ldapsearch -Y GSSAPI -h wrn-dc1.ad.example.net -b 'dc=ad,dc=example,dc=net' -s base SASL/GSSAPI authentication started SASL username: brian at AD.EXAMPLE.NET SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ad,dc=example,dc=net> wi...

...ubdom2.subdom1.example.de is a subdomain (bidirectional trust) of subdom1.example.de. When I try to ssh to a client I'm getting the service ticket for the client. But it still prompts the password question. On the ssh-client side I'm getting the following SSH debug information: ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1 OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016 debug1: Reading configuration data /home/user1/.ssh/config debug1: /home/user1/.ssh/config line 17: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Apply...

...(bidirectional trust) of subdom1.example.de. > > When I try to ssh to a client I'm getting the service ticket for the > client. But it still prompts the password question. > > On the ssh-client side I'm getting the following SSH debug > information: > > ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1 > OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016 > debug1: Reading configuration data /home/user1/.ssh/config > debug1: /home/user1/.ssh/config line 17: Applying options for * > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/...

...ubdom1.example.de. >> >> When I try to ssh to a client I'm getting the service ticket for the >> client. But it still prompts the password question. >> >> On the ssh-client side I'm getting the following SSH debug >> information: >> >> ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1 >> OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016 >> debug1: Reading configuration data /home/user1/.ssh/config >> debug1: /home/user1/.ssh/config line 17: Applying options for * >> debug1: Reading configuration data /etc/ssh/ssh_config >&g...

...al. Everything seems to be set up nice. During Domain creation samba4 provides an krb5.conf file: Code: /etc/krb5.conf (provided by samba4) [libdefaults] default_realm = FAMILY.RAPSBERRY.LOCAL dns_lookup_realm = false dns_lookup_kdc = true This results in: Code: # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL [6195] 1420299460.392810: Getting initial credentials for Administrator at FAMILY.RAPSBERRY.LOCAL [6195] 1420299460.399120: Sending request (208 bytes) to FAMILY.RAPSBERRY.LOCAL [6195] 1420299460.492736: Resolving hostname rasp.family.rapsbe...

...t;> >> /etc/krb5.conf (provided by samba4) >> >> [libdefaults] >> default_realm = FAMILY.RAPSBERRY.LOCAL >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> This results in: >> >> Code: >> >> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL >> [6195] 1420299460.392810: Getting initial credentials for >> Administrator at FAMILY.RAPSBERRY.LOCAL >> [6195] 1420299460.399120: Sending request (208 bytes) to >> FAMILY.RAPSBERRY.LOCAL >> [6195] 142029946...

...ibdefaults] >>>> default_realm = FAMILY.RAPSBERRY.LOCAL >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> >>>> This results in: >>>> >>>> Code: >>>> >>>> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL >>>> [6195] 1420299460.392810: Getting initial credentials for >>>> Administrator at FAMILY.RAPSBERRY.LOCAL >>>> [6195] 1420299460.399120: Sending request (208 bytes) to >>>> FAMILY.RAPSBERRY...

...amba4 provides an krb5.conf file: > > Code: > > /etc/krb5.conf (provided by samba4) > > [libdefaults] > default_realm = FAMILY.RAPSBERRY.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > This results in: > > Code: > > # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL > [6195] 1420299460.392810: Getting initial credentials for > Administrator at FAMILY.RAPSBERRY.LOCAL > [6195] 1420299460.399120: Sending request (208 bytes) to > FAMILY.RAPSBERRY.LOCAL > [6195] 1420299460.492736: Resolving...

...samba4) >>> >>> [libdefaults] >>> default_realm = FAMILY.RAPSBERRY.LOCAL >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> This results in: >>> >>> Code: >>> >>> # KRB5_TRACE=/dev/stdout kinit Administrator at FAMILY.RAPSBERRY.LOCAL >>> [6195] 1420299460.392810: Getting initial credentials for >>> Administrator at FAMILY.RAPSBERRY.LOCAL >>> [6195] 1420299460.399120: Sending request (208 bytes) to >>> FAMILY.RAPSBERRY.LOCAL >>&...