search for: krbtgt

So I did a very dumb move and deleted the krbtgt user from my working samba4 installation. Now of course, this broke the installation... trying to fix things, I recreated the user (and made it member of the administrator group) which let me start samba4 again but now, whenever I try to log in a user on a workstation, in the logs it gives me t...

I have found source4/scripting/devel/chgtdcpass for adding the aes types to machines. I know you have to change the password of normal users. How do you fix this for krbtgt? Can you just change the password? Is there a recommended method? Thank you for any help, Trever -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists....

...throws in auth.log when I try to log in with a > > win2008 client: > > > > Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31 > > Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 > > 3}) > > 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, > > Client > > not found in Kerberos database > > Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15 > > Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 > > -135}) > > 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client&gt...

...n admin_server = pdc.biuro.domain } this is what kerberos throws in auth.log when I try to log in with a win2008 client: Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31 Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, Client not found in Kerberos database Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15 Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.0.139: PROCESS_TGS: authtime 0, <unknown client> for krbtgt/BIURO.domain at BIURO.domain, Bad encryption ty...

...CHE$@SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM 1 normg at SAMBATEST.GEMTALKSYSTEMS.COM 1 normg at SAMBATEST.GEMTALKSYSTEMS.COM...

...to Samba3 and has been gradually updates over the years. When I check out a ticket I get the following results from klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at OLDDOMAIN Valid starting Expires Service principal 06/12/2020 23:25:04 06/13/2020 09:25:04 krbtgt/ OLDDOMAIN at OLDDOMAIN renew until 06/13/2020 23:25:00, Etype (skey, tkt): aes256-cts-hmac-sha1-96, arcfour-hmac On a separate newly created domain I get tickets like this: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at NEWDOMAIN Valid starting Expires S...

...server. Everythings work, wbinfo, getent passwd and so on. Now to the problem: When I list the users with getent passwd I get: Administrator:x:10000:10000:Administrator:/global/mnt1/SAMBA/home/TEST.SE/administrator:/bin/sh Guest:x:10001:10002:Guest:/global/mnt1/SAMBA/home/TEST.SE/guest:/bin/sh krbtgt:x:10002:10000:krbtgt:/global/mnt1/SAMBA/home/TEST.SE/krbtgt:/bin/sh root:x:10003:10000:root:/global/mnt1/SAMBA/home/TEST.SE/root:/bin/sh patrikg:x:10004:10000:patrik Gustavsson:/global/mnt1/SAMBA/home/TEST.SE/patrikg:/bin/sh fmuser:x:10005:10000:fmuser:/global/mnt1/SAMBA/home/TEST.SE/fmuser:/bin/s...

...login with a bad password, it appears that when I press enter after entering a bad password, 2 attempts are made at checking it. The second time I enter a bad password, the account is locked. <grep aslate log.samba> Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65414 for krbtgt/DOMAIN at DOMAIN Kerberos: Looking for PKINIT pa-data -- aslate at DOMAIN Kerberos: Looking for ENC-TS pa-data -- aslate at DOMAIN Kerberos: No preauth found, returning PREAUTH-REQUIRED -- aslate at DOMAIN Kerberos: AS-REQ aslate at DOMAIN from ipv4:123.123.123.50:65415 for krbtgt/DOMA...

...ST:schema_mode = rfc2307 idmap config TEST:range = 100000-2000000 winbind nss info = rfc2307 in the AD member server's smb.conf, getent passwd gives me administrator:*:70000:70017:Administrator:/home/TEST/administrator:/bin/false test:*:70003:70004:Test User:/home/TEST/test:/bin/false krbtgt:*:70001:70004:krbtgt:/home/TEST/krbtgt:/bin/false guest:*:70002:70005:Guest:/home/TEST/guest:/bin/false So the TEST:range is ignored, *:range is used instead. User Shell, Home Dir and the UID (102000 for the test user) from the UNIX attributes in AD are ignored. When I set idmap config *:b...

On 14/07/15 15:46, Trever L. Adams wrote: > I have found source4/scripting/devel/chgtdcpass for adding the aes types > to machines. I know you have to change the password of normal users. > > How do you fix this for krbtgt? Can you just change the password? Is > there a recommended method? > > Thank you for any help, > Trever > > > You could try looking here: https://lists.samba.org/archive/samba-technical/2015-February/105674.html Rowland

On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote: > On 29.10.2020 18:27, Tom Diehl via samba wrote: > > > > Maybe I am missing something, but what is the secure way to run an > > automated > > backup on recent versions of samba? Can samba-tool domain backup be > > made to use > > kerberos so I do not need to store an admin password in an >

...ndows7 windows_file_server: windows server 2008 /var/log/samba/mit_kdc.log мар 22 15:43:49 samba_dc_server krb5kdc[17891](info): commencing operation мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.2.1.12: NEEDED_PREAUTH: vas.lah at example.ru for krbtgt/example .ru at example.ru, Additional pre-authentication required мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): closing down fd 20 мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.2.1.12: ISSUE: authtime 1521715436, etypes {rep=18 tkt=18 ses=18...

...KDC_REQ_BODY Padding: 0 KDCOptions: 00000010 (Renewable OK) Client Name (Service and Host): root/host.example.com Name-type: Service and Host (3) Name: root Name: host.example.com Realm: EXAMPLE.COM Server Name (Principal): krbtgt/EXAMPLE.COM Name-type: Principal (1) Name: krbtgt Name: EXAMPLE.COM from: 2017-10-11 22:30:52 (UTC) till: 2017-10-12 08:30:52 (UTC) Nonce: 1507761052 Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 r...

...ocal group} nullmail:x:88: sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295: allowed rodc password replication group:x:4294967295: enterprise read-only domain controllers:x:4294967295: sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295: denied rodc password replication group:x:4294967295:krbtgt read-only domain controllers:x:4294967295: group policy creator owners:x:4294967295:administrator docs:x:508:user002,user003, software:x:511:dcmwai finance:x:1005:dcmwai mtcusers:x:4294967295:llchai,mtcuser01 ras and ias servers:x:4294967295: domain controllers:x:4294967295: enterprise admins:x:429...

...FILE:/var/log/krb5/def.log * run kinit aaptel at FOO.COM, type pw, ok * klist output: Ticket cache: DIR::/run/user/1000/krb5cc/tktEOK9Bs Default principal: aaptel at FOO.COM Valid starting Expires Service principal 04/14/2018 13:49:22 04/14/2018 23:49:22 krbtgt/FOO.COM at FOO.COM renew until 04/15/2018 13:49:21 At this point I think it should work, but I get: $ smbclient //foo.com/share -k SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/foo.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER SPNEGO: Could not find a suitabl...

...rking, these are my configuration files and the output of the commands. Note: the domain controller has samba installed from source (4.1.11), the member server has the distro packages installed (4.1.0) blue25:/home/SIENIC/administrator # wbinfo -u SIENIC\administrator SIENIC\dns-server01 SIENIC\krbtgt SIENIC\guest blue25:/home/SIENIC/administrator # wbinfo -g SIENIC\allowed rodc password replication group SIENIC\enterprise read-only domain controllers SIENIC\denied rodc password replication group SIENIC\read-only domain controllers SIENIC\group policy creator owners SIENIC\ras and ias servers S...

...11:48, Bob of Donelson Trophy wrote: > > > Okay, so I tried a "Bob thing" and it made no difference. So, no comment > on that. However, I am learning. > > This is 'wbinfo -*' from my DC1: > > root at tdc01:~# wbinfo -u > Administrator > Guest > krbtgt > dns-tdc01 > dns-TDC02 > root at tdc01:~# wbinfo -g > Enterprise Read-Only Domain Controllers > Domain Admins > Domain Users > Domain Guests > Domain Computers > Domain Controllers > Schema Admins > Enterprise Admins > Group Policy Creator Owners > Read-Only...

...: > this is what kerberos throws in auth.log when I try to log in with a > win2008 client: > > Apr 23 09:17:38 pdc kadmind[610]: closing down fd 31 > Apr 23 09:17:55 pdc krb5kdc[643]: AS_REQ (6 etypes {18 17 23 24 -135 > 3}) > 192.168.0.139: CLIENT_NOT_FOUND: qubix at GPMV for krbtgt/GPMV at GPMV, > Client > not found in Kerberos database > Apr 23 09:17:55 pdc krb5kdc[643]: closing down fd 15 > Apr 23 09:17:56 pdc krb5kdc[643]: TGS_REQ (5 etypes {18 17 23 24 > -135}) > 192.168.0.139: PROCESS_TGS: authtime 0,  <unknown client> for > krbtgt/BIURO.domain...

...th = /var/lib/samba/sysvol/biuro.domain/scripts read only = No guest ok = yes The result - the same. logging on a win2008 with user jkadmin gives the following: Apr 23 11:37:36 pdc krb5kdc[656]: AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.0.139: CLIENT_NOT_FOUND: jkadmin at biuro.domain.pl for krbtgt/ biuro.domain.pl at biuro.domain.pl, Client not found in Kerberos database Apr 23 11:37:36 pdc krb5kdc[656]: closing down fd 15 Apr 23 11:37:36 pdc krb5kdc[656]: DISPATCH: repeated (retransmitted?) request from 192.168.0.139, resending previous response Apr 23 11:37:36 pdc krb5kdc[656]: closing dow...

...still have a valid kerberos ticket, it just doesn't seem to have been refreshed when I expected :-\ Old ticket: Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting???? Expires??????????? Service principal 01/10/20 15:34:44? 02/10/20 01:34:44 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:34:44 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:34:44 New ticket: Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting???? Expir...