search for: ktutil

...OM.EXAMPLE.COM renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac And running 'ktutil' produces this: root at dc4:~# ktutil ktutil: rkt /etc/dhcpduser.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 dhcpduser at SAMDOM.EXAMPLE.COM 2 1 dhcpduser at SAMDOM.EXAMPLE.COM...

...xport the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used. >> >> Mike > You can use ktutil to add the aes keys manual. You can not use an random password for the user account with this. > > #ktutil > ktutil: rkt [keytabfile] > ktutil: addent -password -p HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> -k 1 -e...

...uot;kerberos/gssapi ticket was not accepted" For debuging I use Kerbtray. The Tickets I get are: MY.FQDN.COM |-- cifs/dc1.my.fqdn.com |-- cifs/files.my.fqdn.com |-- krbtgt/MY.FQDN.COM |-- krbtgt/MY.FQDN.COM |-- LDAP/dc1.my.fqdn.com/my.fqdn.com There is *no* imap ticket. root at dovecot:~# ktutil ktutil: rkt /etc/dovecot/dovecot.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM 2 2 imap/dovecot.my.fqdn.com at MY.FQDN.COM 3 2 imap/dovecot.my.fqdn.com at MY.FQDN.C...

...n.local at DOMAIN.LOCAL dovecot >> samba-tool spn add imap/server.domain.local at DOMAIN.LOCAL dovecot > Did that too. No issue there. Well you must substitute server.domain.local with your mailserver fqdn and DOMAIN.LOCAL with HPRS.LOCAL. > >> 3. Create the keytab file >> ktutil >> addent -password -p smtp/server.domain.local at DOMAIN.LOCAL -k 1 -e >> arcfour-hmac >> addent -password -p imap/server.domain.local at DOMAIN.LOCAL -k 1 -e >> arcfour-hmac >> wkt /etc/dovecot/dovecot.keytab > As you can see, your text wrapped, but from the error...

...omment = Home Directories > browseable = no > read only = no > > I created a new user on the DC: > samba-tool user add cifsuser > Gave 'cifsuser' a uidNumber and gidNumber > > Next on the client: > > Extract and merge a keytab: > cd /etc > ktutil > ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac > Password for cifsuser at EXAMPLE.COM: > ktutil: wkt cifs.keytab > ktutil: rkt krb5.keytab > ktutil: rkt cifs.keytab > ktutil: wkt krb5.keytab > ktutil: quit > > Restarted samba & win...

...the keytab as per the wiki: > > samba-tool user create --random-password http-dc01 > samba-tool spn add HTTP/dc01.home.lan http-dc01 > samba-tool domain exportkeytab /etc/httpd.keytab > --principal=HTTP/dc01.example.com at EXAMPLE.COM > > Then examine the keytab: > > ktutil > ktutil: rkt /etc/httpd.keytab > ktutil: l > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 HTTP/dc01.example.com at EXAMPLE.COM > 2 1 HTTP/dc01.example.com at EXAMPLE.COM > 3 1 HTTP/dc01.example.com at EXAMPLE...

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

...:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> 11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM >>     renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac >> >> And running 'ktutil' produces this: >> >> root at dc4:~# ktutil >> ktutil:  rkt /etc/dhcpduser.keytab >> ktutil:  l >> slot KVNO Principal >> ---- ---- --------------------------------------------------------------------- >>    1    1            dhcpduser at SAMDOM.EXAMPL...

...deleted the keytab file and did the following: $ samba-tool user delete dovecot $ samba-tool user add dovecot # again, that asked for a password and I assigned one. $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot $ ktutil ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Password for smtp/mail.hprs.local at HPRS.LOCAL: ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac Password for imap/mail.hprs.local at HPRS.LOCAL: ktutil: wkt /etc/dovecot/dovec...

...rinc host/srv-mail.cn.energy at CN.ENERGY -mapuser ldapmail at CN.ENERGY -pass "superpasswd" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\mail.keytab etc... for all imap/srv-mail.cn.energy pop/srv-mail.cn.energy smtp/srv-mail.cn.energy host/srv-mail.cn.energy On Linux server: ktutils ktutils: rkt /root/Keytab/imap.keytab ktutils: rkt /root/Keytab/smtp.keytab ktutils: rkt /root/Keytab/pop.keytab ktutils: rkt /root/Keytab/host.keytab ktutils: wrt /etc/krb5.keytab ktutils: q kinit -V -k -t /etc/krb5.keytab host/srv-mail.cn.energy at CN.ENERGY Authenticated to Kerberos v5 KRB5_K...

...: > > $ samba-tool user delete dovecot > $ samba-tool user add dovecot > > # again, that asked for a password and I assigned one. > > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot > > $ ktutil > ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > Password for smtp/mail.hprs.local at HPRS.LOCAL: > ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > Password for imap/mail.hprs.local at HPRS.LOCAL: > ktutil...

...ntil 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM >     renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > And running 'ktutil' produces this: > > root at dc4:~# ktutil > ktutil:  rkt /etc/dhcpduser.keytab > ktutil:  l > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- >    1    1            dhcpduser at SAMDOM.EXAMPLE.COM >    2    1       ...

...no >>> >>> I created a new user on the DC: >>> samba-tool user add cifsuser >>> Gave 'cifsuser' a uidNumber and gidNumber >>> >>> Next on the client: >>> >>> Extract and merge a keytab: >>> cd /etc >>> ktutil >>> ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e >>> arcfour-hmac >>> Password for cifsuser at EXAMPLE.COM: >>> ktutil: wkt cifs.keytab >>> ktutil: rkt krb5.keytab >>> ktutil: rkt cifs.keytab >>> ktutil: wkt krb5...

Am 22.01.2015 um 12:28 schrieb Rowland Penny: > On 22/01/15 10:53, Norbert Heinzelmann wrote: >> Hello, >> >> I have the problem that the ACLs are ignored when I mount a share via >> cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it >> with Gentoo and samba 4.1.14). So I joined a member server like the >> wiki describes. Everything

...1-96, aes256-cts-hmac-sha1-96 > >> 11/01/19 10:12:50  11/01/19 20:12:50 > >> DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM > >>     renew until 12/01/19 10:12:50, Etype (skey, tkt): > >>arcfour-hmac, arcfour-hmac > >> > >> And running 'ktutil' produces this: > >> > >> root at dc4:~# ktutil > >> ktutil:  rkt /etc/dhcpduser.keytab > >> ktutil:  l > >> slot KVNO Principal > >> ---- ---- > >> --------------------------------------------------------------------- > >&gt...

...does not seem to use them. Most of the solutions I found are for MIT kerberos, but I use heimdal (as of SuSE 9.0), where e.g. the hints from new zealand's linux wiki (http://www.wlug.org.nz/ActiveDirectorySamba) don't work. They tell me to import the keytab file with ----------------- % ktutil ktutil: rkt mail.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: q ------------------ But this does not work - not with ktutil and not with kadmin. Perhaps i missed something? Thanks a lot!!! -- Mit freundlichen Gr??en Markus Feilner -- Linux Solutions, Training, Seminare und Work...

Hi! I maintain Linux servers that are members of a Samba4 Domain. User authentication / login via ssh works fine with Kerberos. But: only via one hostname. Those machines need a working Kerberos login via multiple hostnames (each hostname has its own IP address and DNS is set up correctly.) "net ads keytab list" of course gives me the main hostname that was in use when joining the

...part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. This is my own fault, not a dovecot one, haven't looked into it enough. Anyway, the SSO is working great. One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools. ktpass.exe -princ imap/mailserver.gcecad...

...it my problem: I have Dovecot running on the same host as Samba4 AD/DC. I've set > Thunderbird to authenticate with GSSAPI on a domain workstation. I have an /etc/krb5.keytab > file as required by Dovecot. I've also downloaded and installed Kerberos for access to > the k* commands (ktutil, kinit, klist, ...). > > In my current setup, the Thunderbird client (WIN7 workstation) is not connecting. The WIN7 > workstation is a domain member and works fine otherwise with Samba4 for AD user authentication, > etc. Thunderbird gives the following error: > > "The Kerbe...

...ecot > > $ samba-tool user add dovecot > > > > # again, that asked for a password and I assigned one. > > > > $ samba-tool spn add smpt/mail.hprs.local at HPRS.LOCAL dovecot > > $ samba-tool spn add imap/mail.hprs.local at HPRS.LOCAL dovecot > > > > $ ktutil > > ktutil: addent -password -p smtp/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Password for smtp/mail.hprs.local at HPRS.LOCAL: > > ktutil: addent -password -p imap/mail.hprs.local at HPRS.LOCAL -k 1 -e arcfour-hmac > > Password for imap/mail.hprs.local at HPR...