search for: ktpass

Hi, I was trying to get a new keytab in samba4 for my apache service. So I tried the following command: sh ktpass.sh --out /etc/apache.keytab --princ HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN --pass VerySecure123 --enc des-cbc-md5 I get the following error: Unable to find kvno for principal HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN Am I doing something wron or shouldn't I be using ktpass.sh?...

I was trying to get authentication via kerberos working but I'm having trouble trying to run ktpass as in step 6 here http://robertan.com/home/2015/01/14/kerberos-auth-with-apachephp/ ktpass -princ HTTP/contoso.com at CONTOSO.COM -mapuser CONTOSO\<USERNAME> -crypto all -ptype KRB5_NT_PRINCIPAL -pass <PASSWORD> -out webpage.HTTP.keytab I'm not sure of the syntax...

...unning Server for NIS). I want to remove NIS (or at least the passwords from NIS). To accomplish this, I wish to use pam_krb5 to authenticate users logging into the host itself. In order to configure pam_krb5, I need to create and export a service key for "host/host.domain@DOMAIN" using ktpass (on the domain controller). This key is installed into /etc/krb5.keytab on the Linux box and is used by the PAM module. pam_krb5 will not function without this service key. The ktpass utility prompts for the password of the machine account and sets the Kerberos DES key using it. I want to use t...

Hello, The problem: With the command: net ads join my_linux_box my samba 3.0.1rc1 works fine with a W2k kerberos server But i prefer use the ktpass command on w2k server (and our m$ guru). The problem seems to be that samba dont use /etc/krb5.keytab. The quick read of source and some mail in the archives gives me the beleive that it use a memory keytab (and secrets.tdb ?). I m not sure. Could you confirm that? does i have to do with an older...

...n their windows XP PCs. I would now like to kerberise the unix applications. Statring with the supplied Sun rlogind, telnetd, etc. As I understand things I now need to have a host key on the end systems. Will samba's net ads keytab create do this for me? And avoid me having to run ktpass.exe on windows for each and every host? I am having some trouble finding documentation on net ads keytab Running net ads keytab create certainly creates a key tab that I can examine with klist -K however some encryption types are listed as type-23 (Solaris' keytab) I am using MIT Kerbe...

Hello to every Samba expert out there, We've been having a hard time figuring out a particular problem with Samba. After joining the Server 2003 ADS, which is on a different subnet - just going through a router, the membership would drop all of a sudden. Everything works great when the Samba server is on the same subnet as the Server 2003 ADS. I have posted some details on forums, here is a

...that states some bits on the windows side such as creating an spn C:\Users\Administrator>setspn -A host/test.sondrel.com at SONDREL.COM Test Registering ServicePrincipalNames for CN=Test,OU=Machines,DC=sondrel,DC=com host/envy.sondrel.com at SONDREL.COM Updated object but there is no ktpass on windows 7 so I tried the ktpass.sh script that I found reference to on the mailing list and I get this ./ktpass.sh --out envy.keytab --princ host/test.sondrel.com at SONDREL.COM--host envy --pass * --enc rc4-hmac Unable to find kvno for principal host/test.sondrel.com at SONDREL.COM check th...

...need the same host/hostname.myorg.com principal to be set on the account that is mapped to the system. AD isn't terribly happy about using a machine account anyway to configure kerberos, at least not on Solaris - it works much better to use a user account and then set the principal with the ktpass utility on the windows DC. It seems that conceptually what I need is to be able to set the samba created information as the keytab entry, but I haven't the faintest idea how to do that. I tried setting the verify_ap_req_nofail = false value in the krb5.conf file to keep it from requiring...

...g as there is a valid ticket. I have googled and read in mailing lists, and became good advice (thanks chris!) on how to get a ticket wih a cronjob and a keytab file: - On the ADS-KDC I created a user, to whose account the new kerberos principal is to be mapped, - which I did by typing "ktpass -princ host/hostname@REALM -mapuser username -pass password -out keyfile", like microsoft explains on their techinfo sites. - Then I transferred the keyfile to the linux box and tried to use it for kinit with the -k and -t switches. BUT: All I got is: Additional pre-authentication requir...

...keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools. ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smt...

Hello, I'm trying to access a samba share using an ADS user credentials. I always get an error, and the debug traces (log level = 5) are giving me the output in the follow. I have searched the samba ML archives, and I have found the thread http://lists.samba.org/archive/samba/2004-April/084545.html but, before asking the system admin to apply the eventual KB fixes, I would like to know if the

Hi all, I’m looking to add in a kerberos principal on my server for the AD domain. I see there are ways to do this for user(s), but I don’t see how to add a principal for hosts. In general, I’ld like to add something like the following to me 4.3.4 Domain: ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass -out afpserver.keytab This is for a netatalk server. I’ve never had to add a principal to my samba, so I’d just like come clarification as this is for a host and not a user. what would the 'samba-tool spn add …’ syntax look li...

...for aes128 and 0x10 for aes256. > I assume if enctypes are set to 24 for example (only aes128/256) the server will honour this and decline des and rc4 attempts. > > > That’s interesting, indeed. Rowland— This whole thing seems to me like we are duplicating the functionality of the ktpass command on a Windows AD. With that command, one would need to include an encoding type, and I’m just wondering if it should be included in the wiki pages as well rather than trying to add it back manually after the export. Also, something tells me that the ktpass command, when creating the SPN fo...

...;> rc4 attempts. >>>>> >>>>> >>>>> >>>> That’s interesting, indeed. >>>> >>>> Rowland— >>>> >>>> This whole thing seems to me like we are duplicating the >>>> functionality of the ktpass command on a Windows AD. With that >>>> command, one would need to include an encoding type, and I’m just >>>> wondering if it should be included in the wiki pages as well rather >>>> than trying to add it back manually after the export. Also, >>>>...

...with 3.0+ is not needed anymore. 3) My krb5.conf doesn 't contain any references to servers. All it contains is dns_lookup_realm=true, dns_lookup_kdc=true and default_realm=XXXXX. Do I need anything specific or current krb5 can obtain everything it needs from the DNS? 4) Do I need to do the ktpass thing at the windows DC? Documentation doesn 't say I should, but I keep reading in the web examples of importing the data into the keytab. Thanks. I 've already posted some days my log files trying to find some specific help but probable my post was too unnecesary complicated. Perhaps if...

...N), the capitalization is intentional as this is how they appear when I run spnset hostname HOST/HOSTNAME HOST/hostname.domain.com (FQDN) I also setup a service account name (user object) on Windows whose name is same as the hostname (computer object). I generated the keytab file with ktpass -princ host/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab I then ftped this file over to Solaris host and try to authenticate a user login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not...

...the keytab seems to be wrong for me (the domain name instead of ns1.domainname). What would be the correct way of changing / adding service principals associated with a user and re-generating the keytab? I got the dns updates working by adding a new user with ADUC and creating the keytab with ktpass on a windows machine joined to the domain, but that seems unnecessarily complicated and results in a keytab with different encryption methods compared to the one created by provision. Besides dns, service principals and keytabs are needed also for a bunch of other services (imap, smtp, http); w...

...only aes128/256) the server will honour this and decline des and >>> rc4 attempts. >>> >>> >>> >> That’s interesting, indeed. >> >> Rowland— >> >> This whole thing seems to me like we are duplicating the >> functionality of the ktpass command on a Windows AD. With that >> command, one would need to include an encoding type, and I’m just >> wondering if it should be included in the wiki pages as well rather >> than trying to add it back manually after the export. Also, >> something tells me that the ktpa...

Hello, ALL. I am trying to organize a transparent single sign-on concept for my Active Directory users into Dovecot via IMAP. On the user's desktop I use Thunderbird 6.0 as a mail client (MUA), Windows XP as an operating system. Domain is controlled by Windows 2008 Server SP2 with Active Directory. I have installed on my Mail server Debian GNU/Linux 6.0.2 (Squeeze) and Dovecot 2.0.13 from

I'm using Solaris 8, samba 3, kerberos and openldap. I'm anexing: log.smbd, smb.conf, krb5.conf, nsswitch.conf and the ktpass command in AD. Somebody can help me? I get this output in log.smbd: ----------------------------------- [2005/08/11 12:41:45, 0] smbd/server.c:main(802) smbd version 3.0.20rc1 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2005/08/11 12:41:45, 0] libads/kerberos.c:ads_...