search for: mapus

Hi all, I’m looking to add in a kerberos principal on my server for the AD domain. I see there are ways to do this for user(s), but I don’t see how to add a principal for hosts. In general, I’ld like to add something like the following to me 4.3.4 Domain: ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass -out afpserver.keytab This is for a netatalk server. I’ve never had to add a principal to my samba, so I’d just like come clarification as this is for a host and not a user. what would the 'samba-tool spn add …’ syntax look like in order to add in a host principal...

I have created a mapusers.bash script (listed below) for mapping Active Directory handles to unix logins. This script is currently working as documented. I would like some insight into how and when this script gets called. I assumed that upon establishing each samba connection, after the active directory handle gets a...

...os principal on my server for the AD domain. > > I see there are ways to do this for user(s), but I don’t see how to add a > principal for hosts. > > In general, I’ld like to add something like the following to me 4.3.4 > Domain: > > ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass -out > afpserver.keytab > > This is for a netatalk server. I’ve never had to add a principal to my > samba, so I’d just like come clarification as this is for a host and not a > user. > > what would the 'samba-tool spn add …’ syntax look like...

...tional as this is how they appear when I run spnset hostname HOST/HOSTNAME HOST/hostname.domain.com (FQDN) I also setup a service account name (user object) on Windows whose name is same as the hostname (computer object). I generated the keytab file with ktpass -princ host/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab I then ftped this file over to Solaris host and try to authenticate a user login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos database...

...p.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools. ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-sm...

I was trying to get authentication via kerberos working but I'm having trouble trying to run ktpass as in step 6 here http://robertan.com/home/2015/01/14/kerberos-auth-with-apachephp/ ktpass -princ HTTP/contoso.com at CONTOSO.COM -mapuser CONTOSO\<USERNAME> -crypto all -ptype KRB5_NT_PRINCIPAL -pass <PASSWORD> -out webpage.HTTP.keytab I'm not sure of the syntax of even the microsoft command. In step 5 it looked like they created a user apache but I don't see that in the command at all. even if...

> From my understanding you seem to have Mac and Windows clients and are > using the Samba machine as a fileserver. If the windows machines are > joined to a domain, then you will probably be better off joining the > Samba machine to the domain, this way you will not need the user map. > > It might help if you could explain your setup, if it is different > from the above and

...erberos Realm in the Solaris and authenticate the samba domain user to the local windows 2k machine. But this two cases are seperated from each other which means the kerberos authentication use the kerberos password and samba PDC authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the kerberos user to the local or samba domain user and then do the authentication to the kerberos. So we really want is, when we do the samba PDC authentication we can use the kerberos password. I don't know if it right. PLS correct me . Thank you very much. John ---- Original Messa...

Hello, I'm trying to access a samba share using an ADS user credentials. I always get an error, and the debug traces (log level = 5) are giving me the output in the follow. I have searched the samba ML archives, and I have found the thread http://lists.samba.org/archive/samba/2004-April/084545.html but, before asking the system admin to apply the eventual KB fixes, I would like to know if the

...ave googled and read in mailing lists, and became good advice (thanks chris!) on how to get a ticket wih a cronjob and a keytab file: - On the ADS-KDC I created a user, to whose account the new kerberos principal is to be mapped, - which I did by typing "ktpass -princ host/hostname@REALM -mapuser username -pass password -out keyfile", like microsoft explains on their techinfo sites. - Then I transferred the keyfile to the linux box and tried to use it for kinit with the -k and -t switches. BUT: All I got is: Additional pre-authentication required. (which seems to be the least e...

...ys like this; only recently did I implement this with a nightly script that copies the id numbers into AD). The smb.conf I posted is the one which exhibits the problem with group-writable files. By commenting the username map and uncommenting the username map script, the problem goes away. The mapusers.sh script just echos $1. The usermap.cfg map file is empty. I've also tried removing that config line entirely - problem remains. The share I used for testing is: [www.nrao.edu] comment = www.nrao.edu Web Content path = /home/www.nrao.edu public = no w...

...blem with authorization users AD via kerberos in Dovecot&Postfix. Windows SRV 2008 Standart - AD mail server: Gentoo + cyrus-sasl + postfix + dovecot with support ldap&kerberos. I am created a 4 keytabs on Windows box. C:\Users\Admin>ktpass -princ host/srv-mail.cn.energy at CN.ENERGY -mapuser ldapmail at CN.ENERGY -pass "superpasswd" -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\mail.keytab etc... for all imap/srv-mail.cn.energy pop/srv-mail.cn.energy smtp/srv-mail.cn.energy host/srv-mail.cn.energy On Linux server: ktutils ktutils: rkt /root/Keytab/imap.keytab kt...

...switch.conf is this: --------------- passwd: files winbind group: files winbind hosts: files wins shadow: files winbind ... ------------------------ The instruction in the ActiveDirectory Domain Controller was: C:\temp>ktpass -princ host/sundev.flexi.com.mx@FLEXI.COM.MX -mapuser SUNDEV -pass password -out sundev.keytab ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs

...ws 2000 Domain Controller with the same name that your machine (use the lastname field). Enable option User cannot change password y Password never expires. 4. Generate the keytab for Kerberos in your Win2k Domain Controller: C:\temp\ktpass ?princ host/unixmachine.domain.com@DOMAIN.COM ?mapuser unixmachine ?pass password -out unixmachine.keytab 4.1. Copy the file unixmachine.keytab to the unixmachine under the directory /etc/krb5/ (It can be made with ftp o scp, depending of the unix server) 4.2. Register the key in your unixmachine: /home1/kerberos5/sbin/ktutil...

...m in the Solaris and authenticate the samba domain user > to the local windows 2k machine. But this two cases are seperated from each other > which means the kerberos authentication use the kerberos password and samba PDC > authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the > kerberos user to the local or samba domain user and then do the authentication to > the kerberos. So we really want is, when we do the samba PDC authentication we can > use the kerberos password. I don't know if it right. PLS correct me . > Thank you very much. > Joh...

...ntly did I implement this with a nightly script that copies > the id numbers into AD). > > The smb.conf I posted is the one which exhibits the problem with > group-writable files. By commenting the username map and uncommenting > the username map script, the problem goes away. The mapusers.sh > script just echos $1. The usermap.cfg map file is empty. I've also > tried removing that config line entirely - problem remains. > > The share I used for testing is: > > [www.nrao.edu] > comment = www.nrao.edu Web Content > path = /home/www.nr...

...m in the Solaris and authenticate the samba domain user > to the local windows 2k machine. But this two cases are seperated from each other > which means the kerberos authentication use the kerberos password and samba PDC > authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the > kerberos user to the local or samba domain user and then do the authentication to > the kerberos. So we really want is, when we do the samba PDC authentication we can > use the kerberos password. I don't know if it right. PLS correct me . > Thank you very much. > Joh...

...l mappage des utilisateurs Pour que les utilisateurs puissent acc?der aux ressources du domaine, l'AD doit pouvoir trouver un compte qui corresponde. Il faut r?aliser un mappage entre les principals Kerberos et les comptes du domaine. Le mappage peut ?tre r?alis? globalement avec ksetup /mapuser * * ou par utilisateur dans l'interface de gestion des comptes de l'AD. Activer les "fonctions avanc?es" et faire un clic droit sur l'utilisateur et "mappage des utilisateurs" on devrait maintenant pouvoir se logger sur un poste du domaine en utilisant le doma...

...s and authenticate the samba domain user > > to the local windows 2k machine. But this two cases are seperated from each other > > which means the kerberos authentication use the kerberos password and samba PDC > > authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the > > kerberos user to the local or samba domain user and then do the authentication to > > the kerberos. So we really want is, when we do the samba PDC authentication we can > > use the kerberos password. I don't know if it right. PLS correct me . > > Thank you v...

I'm having trouble with files being marked read-only in Windows because the Solaris file owner does not have write-permissions on the file; group-write is allowed: -r--rw---- 1 user group 32 Feb 13 14:19 testfile.txt I thought that setting "store dos attributes = yes" for this share would allow the "read only" setting to be stored in extended attributes, but it