search for: krb5cc

...#39;s DNS" echo "server when using INTERNAL DNS or BIND9 DLZ plugin." echo "" echo " Command line options (and variables):" echo "" echo " -a | --action Action for this script to perform" echo " ACTION={add|delete}" echo " -c | --krb5cc Path of the krb5 credential cache (optional)" echo " Default: KRB5CC=/run/dhcpd.krb5cc" echo " -d | --domain The DNS domain/zone to be updated" echo " DOMAIN={domain.tld}" echo " -h | --help Show this help message and exit" echo " -H | --hostname Ho...

...dns_lookup_kdc = true default_realm = FOO.COM [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = FILE:/var/log/krb5/def.log * run kinit aaptel at FOO.COM, type pw, ok * klist output: Ticket cache: DIR::/run/user/1000/krb5cc/tktEOK9Bs Default principal: aaptel at FOO.COM Valid starting Expires Service principal 04/14/2018 13:49:22 04/14/2018 23:49:22 krbtgt/FOO.COM at FOO.COM renew until 04/15/2018 13:49:21 At this point I think it should work, but I get: $ smbcl...

...change in regards to the online AD Backup in 4.20? We're using this CLI command to create a backup of our domain: ??? /usr/bin/samba-tool domain backup online --targetdir="/my/path" --server="rad-2.ad.ellerhold.lan" --use-krb5-ccache="/opt/samba-ad-backup/ad-backup.krb5cc" -N This ran successfully on a member server without a problem. klist shows a valid ticket: # klist -c /opt/samba-ad-backup/ad-backup.krb5cc Ticket cache: FILE:/opt/samba-ad-backup/ad-backup.krb5cc Default principal: ad-backup at AD.ELLERHOLD.LAN Valid starting???? Expires??????????? Servi...

...1 HTTP/dc01.example.com at EXAMPLE.COM > 2 1 HTTP/dc01.example.com at EXAMPLE.COM > 3 1 HTTP/dc01.example.com at EXAMPLE.COM > ktutil: q > > You can see that there is only the spn in the keytab and if you try 'kinit' > > kinit -k -t /etc/httpd.keytab -c /tmp/http-dc01.krb5cc http-dc01 > kinit: Generic preauthentication failure while getting initial credentials > > now if you export another keytab but this time use the upn as the principal: > > samba-tool domain exportkeytab /etc/http-dc01.keytab > --principal=http-dc01 at EXAMPLE.COM > > and...

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

...blem with ssh and sssd in a samba4 ad environment. If I logon a linux client everything works fine. When entering klist I'm able to see my ticket. When I try to connect/logon to another linux client with ssh it is possible, but klist shows: klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found. So the ticket cache is not created during logon. I'm using sssd with the following sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = $DOMAINNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_k...

...in 4.20? > > We're using this CLI command to create a backup of our domain: > > ?? ?/usr/bin/samba-tool domain backup online --targetdir="/my/path" > --server="rad-2.ad.ellerhold.lan" > --use-krb5-ccache="/opt/samba-ad-backup/ad-backup.krb5cc" -N > > This ran successfully on a member server without a problem. klist > shows > a valid ticket: > > # klist -c /opt/samba-ad-backup/ad-backup.krb5cc > Ticket cache: FILE:/opt/samba-ad-backup/ad-backup.krb5cc > Default principal: ad-backup at...

On 6/6/2024 8:26 AM, Dave Macias wrote: > *I wanted to see if I could make the cache file user-specific, instead of > the default location (/tmp/krb5cc-blabla).* SSH is creating a separate ticket cache file for each login session and owned by the user. This has been the preferred way to do this for decades. https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd Your: "Ticket cache: FILE:/tmp/krb5cc_2000_tgiettMBSK" looks like it...

...em1 . . $ ps -ef | grep ssh root 170 1 0 14:01:58 ? 0:00 /opt/ssh/sbin/sshd test 245 243 0 14:03:41 ? 0:00 sshd: test at pts/0 test 242 225 0 14:03:39 pts/tb 0:00 ssh system1 root 243 170 0 14:03:39 ? 0:02 sshd: test [priv] $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_170_243 -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 Env KRB5CCNAME is set to KRB5CCNAME=FILE:/tmp/krb5cc_243_245 On closing the session,the cache file corresponding to the nonpriv process is...

...luster and things have gone well so far. I can ssh to my test clients using my kerberos credentials then ssh using GSSAPI to other hosts as defined in my principals using my ticket, achieving SSO. *I wanted to see if I could make the cache file user-specific, instead of the default location (/tmp/krb5cc-blabla).* I configured sssd.conf with: krb5_ccachedir = %h krb5_ccname_template = FILE:%d/.krb5cc_%U I configured krb5.conf with: [libdefaults] default_ccache_name = FILE:/home/%{username}/.krb5cc_%{uid} My sshd_config has the following: KerberosAuthentication yes KerberosOrLocalPasswd no Ke...

...assword of DOMAIN\root You should never get prompted for the password for 'DOMAIN\root', if you do, then you doing something wrong or something has gone wrong. > (what happens when transferring the > *dns roles): > > srv-kb-dc1:~ # klist > Ticket cache: DIR::/run/user/0/krb5cc/tkt What OS is this ? > Default principal: administrator at MY.LOCAL.DOM > > Valid starting?????? Expires????????????? Service principal > 12.01.2023 12:57:56? 12.01.2023 22:57:56 krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM > ??????? renew until 13.01.2023 12:57:54 > srv-kb-dc1:~ # sa...

Thank you both for the replies and explanation! @douglas Can i set?KRB5CCNAME somewhere so that it uses /home? Where? But even if i could set the env variable i have this odd behavior: I now have 4 vms running. 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post. From the 4 vms, when I ssh into them, 2 of them set a cache file in t...

...You should never get prompted for the password for 'DOMAIN\root', if you > do, then you doing something wrong or something has gone wrong. > >> (what happens when transferring the *dns roles): > >> >> srv-kb-dc1:~ # klist >> Ticket cache: DIR::/run/user/0/krb5cc/tkt > > What OS is this ? > >> Default principal: administrator at MY.LOCAL.DOM >> >> Valid starting?????? Expires????????????? Service principal >> 12.01.2023 12:57:56? 12.01.2023 22:57:56 krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM >> ???????? renew until 13.01.20...

Am 12.01.23 um 14:03 schrieb Rowland Penny via samba: > On 12/01/2023 12:51, Rowland Penny via samba wrote: >> On 12/01/2023 12:28, Thorsten Marquardt via samba wrote: >>> srv-kb-dc1:~ # klist >>> Ticket cache: DIR::/run/user/0/krb5cc/tkt >> What OS is this ? the old host: srv-kb-primdc:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.3" ID=opensuse ID_LIKE="suse" VERSION_ID="42.3" PRETTY_NAME="openSUSE Leap 42.3" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:...

...save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below: > for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done rocky8client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa Default principal:?jdoe at DOMAIN.NET Valid starting Expires Service principal 06/11/2024 17:58:09 06/12/2024 17:58:09?krbtgt/DOMAIN.NET at DOMAIN.NET ?renew until 06/11/2024 17:58:09 rocky9client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5 Default principal:?jdoe at...

...e is nothing like host_ or other for kerberos inside. > > ls -lisa /var/tmp/ > 2 4 drwxrwxrwt 3 root root 4096 Sep 25 08:39 . > 2 4 drwxr-xr-x 13 root root 4096 Jun 20 2013 .. > 11 16 drwx------ 2 root root 16384 Aug 9 2012 lost+found > > > In /tmp i can see 4 krb5cc files for users there has used kerberos > on this member. So this look ok between Client and Fileserver. But > not between Member an DC > > For recreate keytab i can use this manual? > https://wiki.samba.org/index.php/Generating_Keytabs > <https://wiki.samba.org/index.php/Gene...

...t; Kinit as Administrator (note I am using sudo, but it would be the same > if done by root) > > adminuser at rpidc2:~ $ sudo kinit Administrator > Password for Administrator at SAMDOM.EXAMPLE.COM: > > The Administrators ticket: > > adminuser at rpidc2:~ $ sudo klist -c /tmp/krb5cc_0 > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at SAMDOM.EXAMPLE.COM > > Valid starting Expires Service principal > 12/01/23 11:14:21 12/01/23 21:14:21 > krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > renew until 13/01/23 11:14:13 &g...

Hi Rowland, Yes, I read this documentation carefully. I have two working Apache2 with kerberos authentication working. My question is more about troubleshooting a keytab. If I need to test manually a keytab file chalenging a specific principal, what's the prefered method ? I thougt that a kinit could be done using a principal name, but I am unable to kinit with somehting else than the

..._DB_ERROR I had to add a USER=dhcpd export USER to the script in /etc/dhcp/update.sh (this is the path for ubuntu 14.04, instead of the /etc/dhcpd one for arch) Since ubuntu 14.04 uses apparmor, I also added a the line /etc/dhcp/update.sh Uxr, to /etc/apparmor.d/local/usr.sbin.dhcpd and put KRB5CC in /tmp instead of /run (where the dhcpd user cannot write). BTW samba-tool seems to ignore the -k option altogether (it uses kerberos if it can or asks for a password if it cannot, regardless of the presence or not of the -k option) Bye -- Luca Olivetti Wetron Automation Technology http://www.w...

...dential cache can be controlled with this option. The supported values are: KEYRING (when supported by the system's Kerberos library and Kernel), FILE and DIR (when the DIR type is supported by the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case of DIR you NEED to specify a directory. UID is replaced with the numeric user id. When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This...