search for: msktutil

Hi all, can anybody confirm the tool msktutil (used to extract keytab from AD and import to linux clients) works with samba4? In my environment, the command: /usr/sbin/msktutil --create --service host/drudgesk.example.org --computer-name drudgesk --service HTTP --verbose fails without a error, after a successful connection to the AD ldap: [....

Sorry for the previous message, it was just an issue with the setting of the primary dns resolver on the linux client. So I can confirm msktutil 0.5-1 (Debian GNU/Linux jessie) works fine with samba-4.1.2 (creates principal and spn on PDC and exports them in a keytab to client -- that is very handy with tools like puppet where a single line command is very prized) regards, Francesco

Hi, during my tests to use Samba4 as a kdc for kerberized NFS, I found a bug in the KDC code, when generating a principal without pac (e.g. with msktutil and option --no-pac), that causes Samba4 to crash: Running the following command on one of the client machines msktutil -c --upn nfs/testa.linex.org -h testa.linex.org --computer-name testa-service-nfs --server s4-dc1.linex.org --no-pac results in this gdb backtrace on the samba4 dc (s4-dc1....

Hi folks, we'd like to provision new Samba servers (file sharing only) with the system keytab. It will precreated by some other process (msktutil) because we don't have direct access to a domain admin account. Is there any degragation in functionality by not using "secrets and keytab" and not doing "net ads join"? This is somewhat similiar to my question from 2017-11 [1] where I wanted to do "net ads join&qu...

no thats not it samba-tool does not set upn but msktutil does set the upn. So an option for samba-tool to set upn would be nice... Greetz Louis > Op 28 dec. 2016 om 18:38 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: > > On Wed, 28 Dec 2016 17:05:39 +0100 > "L.P.H. van Belle via samba&quo...

> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab? I already thought about trying that. So by now, I tried tweaking the client's LDAP entry. Adding userPrincipalName=CLIENT02.DOMAIN.TLD does not succeeed, however, after reviewing the ldap filter once again, I added userPrincipalName=nfs/client02.domain.tld at

...the OU within the domain. For joining the machine with its computer account you need (temporary) administrative access to the machine and the temporary computer password. But it should not be required to enter the password of the OU admin on the machine to be joined! I think one can do this with msktutil --set-samba-secret for renewing host keytab and Samba's secret.tdb. I recently wrote an ansible role with which an OU admin (has TGT on ansible controller) pre-creates / resets the computer account and the machine is joined with msktutil and temporary computer password in one play. Ciao, Mich...

...of kerberos service as it uses two different kinds of authentication: First of all a host based authentication to authenticate the mount itself, followed by the user's credentials that are checked upon directory/file access. In case you haven't found it yet: There's a nice tool called msktutil, that will help when creating user/ servicePrincipalNames in Active Directory / Samba DC. One other thing I found during my tries to get kerberized NFSv4 working with my Samba DC: Some principals require the NO_AUTH_DATA_REQUIRED flag to be set (--no-pac in msktutil), otherwise tickets will not be...

Is there a way to get samba to authenticate against an AD without having to join that domain (which needs admin credentials)? I don't want any of the automatic user creation or mapping stuff from winbind, just a password check instead of having to maintain a local password. I can get that effect via kerberos for normal linux logins by using authconfig-tui, checking kerberos, and filling in

...;> Hi folks, > >>>>>>>> > >>>>>>>> we'd like to provision new Samba servers (file sharing only) > >>>>>>>> with the system keytab. It will precreated by some other > >>>>>>>> process (msktutil) because we don't have direct access to a > >>>>>>>> domain admin account. Is there any degragation in > >>>>>>>> functionality by not using "secrets and keytab" and not doing > >>>>>>>> "net ads joi...

...d (temporary) > administrative access to the machine and the temporary computer > password. Couldn't get this to work. > > But it should not be required to enter the password of the OU admin on > the machine to be joined! It isn't. > > I think one can do this with msktutil --set-samba-secret for renewing > host keytab and Samba's secret.tdb. You need a group with the permissions to join computers set on the OU, a user who is a member of this group and the users keytab. You only need standard Unix and Samba tools. > > I recently wrote an ansible role...

Dear list, by mistake some script (msktutil) has updated machine password and keytab for one of my DCs (samba-4.10.10). While I could restore the keytab (/var/lib/samba/private/secrets.keytab) using samba-tool domain exportkeytab, I fail to come up with a way to update the secrets file (/var/lib/samba/private/secrets.ldb) with a new machine...

...n Thu, 10 Jan 2019 16:23:06 +0100 > "Osipov, Michael via samba" <samba at lists.samba.org> wrote: > >> Hi folks, >> >> we'd like to provision new Samba servers (file sharing only) with the >> system keytab. It will precreated by some other process (msktutil) >> because we don't have direct access to a domain admin account. Is >> there any degragation in functionality by not using "secrets and >> keytab" and not doing "net ads join"? >> >> This is somewhat similiar to my question from 2017-11 [1] wh...

2016-08-30 16:10 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>: > On Tue, 30 Aug 2016 15:58:13 +0200 > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > And reading last mails comforts me in believing the filter used by > > client side to retrieve user is not correct, that filter should use > > SPN then you won't need to

...= false    validate = true  } ############## end /etc/krb5.conf ##################### Here's the command that I run to generate the keytab on the nfs server (after properly configuring '/etc/samba/smb.conf': ############# kinit Administrator at EXMAPLE.COM rm -rf /etc/krb5.keytab; msktutil --delegation --dont-expire-password \ --no-pac --computer-name server \ --enctypes 0x1F -b "OU=Services" \ -k /etc/krb5.keytab -h server.example.com \ -s nfs/server.example.com \ --upn nfs/server.example.com  --verbose rm -rf /etc/krb5.keytab net ads join -k -UAdministrator #############...

...el via samba" <samba at lists.samba.org> wrote: >>> >>>> Hi folks, >>>> >>>> we'd like to provision new Samba servers (file sharing only) with >>>> the system keytab. It will precreated by some other process >>>> (msktutil) because we don't have direct access to a domain admin >>>> account. Is there any degragation in functionality by not using >>>> "secrets and keytab" and not doing "net ads join"? >>>> >>>> This is somewhat similiar to my ques...

...gt; wrote: >>>>> >>>>>> Hi folks, >>>>>> >>>>>> we'd like to provision new Samba servers (file sharing only) with >>>>>> the system keytab. It will precreated by some other process >>>>>> (msktutil) because we don't have direct access to a domain admin >>>>>> account. Is there any degragation in functionality by not using >>>>>> "secrets and keytab" and not doing "net ads join"? >>>>>> >>>>>> This...

...“issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. /sn...

...“issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them.  The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN.  There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. /sn...

...mba at lists.samba.org > Onderwerp: Re: [Samba] Error with samba update in debian. > > On Thu, 29 Dec 2016 09:25:20 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > no thats not it > > > > samba-tool does not set upn but msktutil does set the upn. > > > > So an option for samba-tool to set upn would be nice... > > > > > > Greetz > > > > Louis > > Yes it is !! > > From my point of view, squid is expecting an SPN, but seems to accept > a UPN. Have you tried using the...