search for: krbtgt

...more # details. # # cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED lockdir = /mnt/DADOS-GLUSTERFS/CTBD/ disable_ip_takeover = yes only_locks = yes ======== Erros in Syslog 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]: krbtgt/ INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/ dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/ INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/ dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/ INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (c...

...luster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED > lockdir = /mnt/DADOS-GLUSTERFS/CTBD/ > disable_ip_takeover = yes > only_locks = yes > > ======== > > Erros in Syslog > > 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]: > krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/ > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/ > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/ > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/ > INTERNO.XXXXXX.SRV.BR at INTERN...

...ter lock = !/bin/false CLUSTER LOCK NOT CONFIGURED > lockdir = /mnt/DADOS-GLUSTERFS/CTBD/ > disable_ip_takeover = yes > only_locks = yes > > ======== > > Erros in Syslog > > 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]: krbtgt/ > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/ > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/ > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/ > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/ > INTERNO.XXXXXX.SRV.BR at...

So I did a very dumb move and deleted the krbtgt user from my working samba4 installation. Now of course, this broke the installation... trying to fix things, I recreated the user (and made it member of the administrator group) which let me start samba4 again but now, whenever I try to log in a user on a workstation, in the logs it gives me t...

...gt; rocky8client.domain.net <http://rocky8client.domain.net> > Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa > Default principal: jdoe at DOMAIN.NET <https://mailto:jdoe at DOMAIN.NET> > > Valid starting Expires Service principal > 06/11/2024 17:58:09 06/12/2024 17:58:09 krbtgt/DOMAIN.NET at DOMAIN.NET <https://mailto:krbtgt/DOMAIN.NET at DOMAIN.NET> > ?renew until 06/11/2024 17:58:09 > > rocky9client.domain.net <http://rocky9client.domain.net> > Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5 > Default principal: jdoe at DOMAIN.NET <https://m...

I have found source4/scripting/devel/chgtdcpass for adding the aes types to machines. I know you have to change the password of normal users. How do you fix this for krbtgt? Can you just change the password? Is there a recommended method? Thank you for any help, Trever -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists....

...throws in auth.log when I try to log in with a > > win2008 client: > > > > Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31 > > Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 > > 3}) > > 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, > > Client > > not found in Kerberos database > > Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15 > > Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 > > -135}) > > 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client&gt...

...n admin_server = pdc.biuro.domain } this is what kerberos throws in auth.log when I try to log in with a win2008 client: Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31 Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, Client not found in Kerberos database Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15 Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for krbtgt/BIURO.domain at BIURO.domain, Bad encryption ty...

...doesn't create issues? > > I'm using lastest samba on debian bookworm from packages, not just > quite ready to update to the backports version, so it's still 4.17. > > Regards, > > Kacper > > Depends which password you are referring to, a computers or the krbtgt user. First is easy, logon to the computer, then run: sudo net ads changetrustpw For krbtgt, then read this: https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html Rowland

...CHE$@SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 normg at SAMBATEST.GEMTALKSYSTEMS.COM 1 normg at SAMBATEST.GEMTALKSYSTEMS.COM...

...to Samba3 and has been gradually updates over the years. When I check out a ticket I get the following results from klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at OLDDOMAIN Valid starting Expires Service principal 06/12/2020 23:25:04 06/13/2020 09:25:04 krbtgt/ OLDDOMAIN at OLDDOMAIN renew until 06/13/2020 23:25:00, Etype (skey, tkt): aes256-cts-hmac-sha1-96, arcfour-hmac On a separate newly created domain I get tickets like this: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at NEWDOMAIN Valid starting Expires S...

...server. Everythings work, wbinfo, getent passwd and so on. Now to the problem: When I list the users with getent passwd I get: Administrator:x:10000:10000:Administrator:/global/mnt1/SAMBA/home/TEST.SE/administrator:/bin/sh Guest:x:10001:10002:Guest:/global/mnt1/SAMBA/home/TEST.SE/guest:/bin/sh krbtgt:x:10002:10000:krbtgt:/global/mnt1/SAMBA/home/TEST.SE/krbtgt:/bin/sh root:x:10003:10000:root:/global/mnt1/SAMBA/home/TEST.SE/root:/bin/sh patrikg:x:10004:10000:patrik Gustavsson:/global/mnt1/SAMBA/home/TEST.SE/patrikg:/bin/sh fmuser:x:10005:10000:fmuser:/global/mnt1/SAMBA/home/TEST.SE/fmuser:/bin/s...

...ver rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done rocky8client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa Default principal:?jdoe at DOMAIN.NET Valid starting Expires Service principal 06/11/2024 17:58:09 06/12/2024 17:58:09?krbtgt/DOMAIN.NET at DOMAIN.NET ?renew until 06/11/2024 17:58:09 rocky9client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_XXXXkYi1X5 Default principal:?jdoe at DOMAIN.NET Valid starting Expires Service principal 06/11/24 17:58:10 06/12/24 17:58:10?krbtgt/DOMAIN.NET at DOMAIN.NET ?renew until 06/11/24...

...login with a bad password, it appears that when I press enter after entering a bad password, 2 attempts are made at checking it. The second time I enter a bad password, the account is locked. <grep aslate log.samba> Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65414 for krbtgt/DOMAIN at DOMAIN Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65415 for krbtgt/DOMA...

...ST:schema_mode = rfc2307 idmap config TEST:range = 100000-2000000 winbind nss info = rfc2307 in the AD member server's smb.conf, getent passwd gives me administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false test:*:70003:70004:Test User:/home/TEST/test:/bin/false krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false So the TEST:range is ignored, *:range is used instead. User Shell, Home Dir and the UID (102000 for the test user) from the UNIX attributes in AD are ignored. When I set idmap config *:b...

On 14/07/15 15:46, Trever L. Adams wrote: > I have found source4/scripting/devel/chgtdcpass for adding the aes types > to machines. I know you have to change the password of normal users. > > How do you fix this for krbtgt? Can you just change the password? Is > there a recommended method? > > Thank you for any help, > Trever > > > You could try looking here: https://lists.samba.org/archive/samba-technical/2015-February/105674.html Rowland

On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote: > On 29.10.2020 18:27, Tom Diehl via samba wrote: > > > > Maybe I am missing something, but what is the secure way to run an > > automated > > backup on recent versions of samba? Can samba-tool domain backup be > > made to use > > kerberos so I do not need to store an admin password in an >

...ndows7 windows_file_server: windows server 2008 /var/log/samba/mit_kdc.log мар 22 15:43:49 samba_dc_server krb5kdc[17891](info): commencing operation мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.2.1.12: NEEDED_PREAUTH: vas.lah at example.ru for krbtgt/example .ru at example.ru, Additional pre-authentication required мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): closing down fd 20 мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.2.1.12: ISSUE: authtime 1521715436, etypes {rep=18 tkt=18 ses=18...

...KDC_REQ_BODY Padding: 0 KDCOptions: 00000010 (Renewable OK) Client Name (Service and Host): root/host.example.com Name-type: Service and Host (3) Name: root Name: host.example.com Realm: EXAMPLE.COM Server Name (Principal): krbtgt/EXAMPLE.COM Name-type: Principal (1) Name: krbtgt Name: EXAMPLE.COM from: 2017-10-11 22:30:52 (UTC) till: 2017-10-12 08:30:52 (UTC) Nonce: 1507761052 Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 r...

...ocal group} nullmail:x:88: sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295: allowed rodc password replication group:x:4294967295: enterprise read-only domain controllers:x:4294967295: sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295: denied rodc password replication group:x:4294967295:krbtgt read-only domain controllers:x:4294967295: group policy creator owners:x:4294967295:administrator docs:x:508:user002,user003, software:x:511:dcmwai finance:x:1005:dcmwai mtcusers:x:4294967295:llchai,mtcuser01 ras and ias servers:x:4294967295: domain controllers:x:4294967295: enterprise admins:x:429...