search for: krb5cc_uid

...r/whatever /whatever -o sec=krb5i This should mount the share using Kerberos & Packet-signing by using the cached credentials of the user executing the command. With judicious use of strace, it seems that cifs.upcall makes the assumption that the Kerberos credentials will be present at /tmp/krb5cc_UID, however, this is not always the case; the credentials may have a random element in the file name. Here's an example output from the system: /tmp/krb5cc_0 /tmp/krb5cc_10000_IKsPGl4129 /tmp/krb5cc_10003_SXDRDQ7677 As such, the command works fine under root, but will fail for users with UI...

...COM >> ??? renew until 08/10/20 15:41:17 > > In your case, did you ssh to "centos8", or you just logged into it via > a GUI?? When I login via the GUI, winbind renews the key. When I ssh, > it does not.? On your destination system, the ticket cache is still > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. > > In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. > > Jason. > > I logged in via 'ssh' and until I added pam_krb5, I didn't...

On 01/10/2020 21:46, Rowland penny via samba wrote: > On 01/10/2020 21:23, Jason Keltz via samba wrote: >> >> >> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >> >> Let's wait and see what happens with your ticket after 10 hours. >> Maybe there's a bug there as well. > It will be in the middle of the night here, so I will report

...RB5CCNAME? Also wondering about why I get this right after the above error: "Could not determine network interfaces, you must use a interfaces config line" (As a side note, not sure if it is interesting, but I see in the /var/log/cups/error_log that SMBSPOOL_KRB5 sets KRB5CCNAME to /tmp/krb5cc_UID (where UID is >= 1000). In our environment the user gets /tmp/krb5cc_UID_RANDOM (where RANDOM is a random string) from Heimdal Kerberos when logging in so in 14.04 (where printing works) you have to create a symbolic link from /tmp/krb5cc_UID to /tmp/krb5cc_UID_RANDOM to have the printing work w...

...15:41:17 > > > > In your case, did you ssh to "centos8", or you just logged > into it via > > a GUI?? When I login via the GUI, winbind renews the key. > When I ssh, > > it does not.? On your destination system, the ticket cache is still > > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. > > > > In my case, even after I copied the /tmp/krb5cc_UID_<random > bits> back > > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. > > > > Jason. > > > > > I logged in via 'ssh&...

...AMPLE.COM at SAMDOM.EXAMPLE.COM > ??? renew until 08/10/20 15:41:17 In your case, did you ssh to "centos8", or you just logged into it via a GUI?? When I login via the GUI, winbind renews the key. When I ssh, it does not.? On your destination system, the ticket cache is still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. Jason.

...ew until 08/10/20 15:41:17 >> >> In your case, did you ssh to "centos8", or you just logged into it >> via a GUI?? When I login via the GUI, winbind renews the key. When I >> ssh, it does not.? On your destination system, the ticket cache is >> still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. >> >> In my case, even after I copied the /tmp/krb5cc_UID_<random bits> >> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. >> >> Jason. >> >> > I logged in via 'ssh' and unti...

...ut why I get this right after the above error: > "Could not determine network interfaces, you must use a interfaces > config line" > > (As a side note, not sure if it is interesting, but I see in > the /var/log/cups/error_log that SMBSPOOL_KRB5 sets KRB5CCNAME > to /tmp/krb5cc_UID (where UID is >= 1000). In our environment the > user gets /tmp/krb5cc_UID_RANDOM (where RANDOM is a random string) > from Heimdal Kerberos when logging in so in 14.04 (where printing > works) you have to create a symbolic link from /tmp/krb5cc_UID > to /tmp/krb5cc_UID_RANDOM to have...

...41:17 >>> In your case, did you ssh to "centos8", or you just logged >> into it via >>> a GUI?? When I login via the GUI, winbind renews the key. >> When I ssh, >>> it does not.? On your destination system, the ticket cache is still >>> /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. >>> >>> In my case, even after I copied the /tmp/krb5cc_UID_<random >> bits> back >>> to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. >>> >>> Jason. >>> >>> >&gt...

I'm in a situation here at work where I'm trying to support a mixed network of OS X and RHEL desktop machines with a Postfix/Dovecot combination. - user account information is stored in LDAP - user credentials are in MIT Kerberos - server is running RHEL 6/Dovecot 2.0.9/Postfix 2.6.6 I am currently using the PAM passdb module to authenticate my users (I began to have trouble

Hello all. I'm encountering an issue where smbclient seemingly ignores the kerberos ccache as configured in krb5.conf when using "krb5-user" as the kerberos package and will instead always default to using "FILE:/tmp/krb5cc_uid". I tested each valid default ccache name type but smbclient completely ignores whatever is set as the "default_ccache_name" in the conf file. I went on to test "heimdal-clients" as the kerberos package and smbclient appears to be using the ccache that is configured in the...

Rowland Penny wrote: > On Sat, 5 Aug 2017 15:29:54 +0200 > Van Svensson via samba <samba at lists.samba.org> wrote: > > > Rowland Penny wrote: > > > > > On Sat, 5 Aug 2017 14:44:34 +0200 > > > Van Svensson via samba <samba at lists.samba.org> wrote: > > > > > > > Rowland Penny wrote: > > > > > > >

...dential cache can be controlled with this option. The supported values are: KEYRING (when supported by the system's Kerberos library and Kernel), FILE and DIR (when the DIR type is supported by the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case of DIR you NEED to specify a directory. UID is replaced with the numeric user id. When using the KEYRING type, the supported mechanism is “KEYRING:persistent:UID”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This is t...

...mance issue, as I see 100s of ticket requests within the same second when someone tries to launch a lot of jobs. Many of these will fail with "permission denied" but if they immediately re-try, it works. Related to this, I have been unable to figure out what creates and deletes the /tmp/krb5cc_uid_random files. (3) Kerberized NFS shares getting "stuck" for one or more users. We have another monitoring app (in-house developed) that, among other things, makes periodic checks of these NFS mounts. It does so by forking and doing a simple "ls" command. This is to ensure...

...> Hello all. > > > > I'm encountering an issue where smbclient seemingly ignores > the kerberos > > ccache as configured in krb5.conf when using "krb5-user" as > the kerberos > > package and will instead always default to using > "FILE:/tmp/krb5cc_uid". > > I tested each valid default ccache name type but smbclient > completely > > ignores whatever is set as the "default_ccache_name" in the > conf file. I > > went on to test "heimdal-clients" as the kerberos package > and smbclient > >...

Hi all, I have a problem in libpam-winbind: offline logon doesn't seems to work. The first version of samba in which I have found the problem is 4.1 and the last is 4.7 but I fear that newer version are affected too. Hopefully there is a workaround: you have to remove krb5_ccache_type=FILE from /etc/pam.d/common-auth I have opened a bug report[¹] where you can find more details. Any one

...it can store the retrieved > Ticket Granting Ticket (TGT) in a credential cache. The type > of credential cache can be set with this option. Currently > the only supported value is: FILE. In that case a credential > cache in the form of /tmp/krb5cc_UID will be created, where > UID is replaced with the numeric user id. Leave empty to just > do kerberos authentication without having a > ticket cache after the logon has succeeded. > > > > > > The mount only works when I use kinit to populat...