Displaying 20 results from an estimated 35 matches for "msktutil".
Did you mean:
mokutil
2013 Nov 28
0
msktutil with samba4
Hi all,
can anybody confirm the tool msktutil (used to extract keytab from AD
and import to linux clients) works with samba4?
In my environment, the command:
/usr/sbin/msktutil --create --service host/drudgesk.example.org
--computer-name drudgesk --service HTTP --verbose
fails without a error, after a successful connection to the AD ldap:
[....
2013 Dec 02
0
msktutil with samba4 -- solved
Sorry for the previous message, it was just an issue with the setting of
the primary dns resolver on the linux client.
So I can confirm msktutil 0.5-1 (Debian GNU/Linux jessie) works fine
with samba-4.1.2 (creates principal and spn on PDC and exports them in a
keytab to client -- that is very handy with tools like puppet where a
single line command is very prized)
regards,
Francesco
2010 Apr 19
1
Samba4 segfault
Hi,
during my tests to use Samba4 as a kdc for kerberized NFS,
I found a bug in the KDC code, when generating a principal
without pac (e.g. with msktutil and option --no-pac), that
causes Samba4 to crash:
Running the following command on one of the client machines
msktutil -c --upn nfs/testa.linex.org -h testa.linex.org
--computer-name testa-service-nfs --server s4-dc1.linex.org --no-pac
results in this gdb backtrace on the samba4 dc (s4-dc1....
2019 Jan 10
6
Running off pre-created keytabs
Hi folks,
we'd like to provision new Samba servers (file sharing only) with the
system keytab. It will precreated by some other process (msktutil)
because we don't have direct access to a domain admin account. Is there
any degragation in functionality by not using "secrets and keytab" and
not doing "net ads join"?
This is somewhat similiar to my question from 2017-11 [1] where I wanted
to do "net ads join&qu...
2016 Dec 29
3
Error with samba update in debian.
no thats not it
samba-tool does not set upn but msktutil does set the upn.
So an option for samba-tool to set upn would be nice...
Greetz
Louis
> Op 28 dec. 2016 om 18:38 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven:
>
> On Wed, 28 Dec 2016 17:05:39 +0100
> "L.P.H. van Belle via samba&quo...
2016 Dec 02
6
Samba and kerberized NFSv4
> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab?
I already thought about trying that. So by now, I tried tweaking the client's LDAP entry.
Adding
userPrincipalName=CLIENT02.DOMAIN.TLD
does not succeeed, however, after reviewing the ldap filter once again, I added
userPrincipalName=nfs/client02.domain.tld at
2019 Mar 01
0
Running off pre-created keytabs
...the OU within the domain.
For joining the machine with its computer account you need (temporary)
administrative access to the machine and the temporary computer password.
But it should not be required to enter the password of the OU admin on
the machine to be joined!
I think one can do this with msktutil --set-samba-secret for renewing
host keytab and Samba's secret.tdb.
I recently wrote an ansible role with which an OU admin (has TGT on
ansible controller) pre-creates / resets the computer account and the
machine is joined with msktutil and temporary computer password in one play.
Ciao, Mich...
2016 Dec 02
0
Samba and kerberized NFSv4
...of kerberos service
as it uses two different kinds of authentication:
First of all a host based authentication to authenticate
the mount itself, followed by the user's credentials that
are checked upon directory/file access.
In case you haven't found it yet: There's a nice tool
called msktutil, that will help when creating user/
servicePrincipalNames in Active Directory / Samba DC.
One other thing I found during my tries to get kerberized
NFSv4 working with my Samba DC: Some principals require
the NO_AUTH_DATA_REQUIRED flag to be set (--no-pac in msktutil),
otherwise tickets will not be...
2013 Aug 15
1
samba: check password with AD without joining domain?
Is there a way to get samba to authenticate against an AD without
having to join that domain (which needs admin credentials)? I don't
want any of the automatic user creation or mapping stuff from winbind,
just a password check instead of having to maintain a local password.
I can get that effect via kerberos for normal linux logins by using
authconfig-tui, checking kerberos, and filling in
2019 Jan 11
5
Running off pre-created keytabs
...;> Hi folks,
> >>>>>>>>
> >>>>>>>> we'd like to provision new Samba servers (file sharing only)
> >>>>>>>> with the system keytab. It will precreated by some other
> >>>>>>>> process (msktutil) because we don't have direct access to a
> >>>>>>>> domain admin account. Is there any degragation in
> >>>>>>>> functionality by not using "secrets and keytab" and not doing
> >>>>>>>> "net ads joi...
2019 Mar 01
2
Running off pre-created keytabs
...d (temporary)
> administrative access to the machine and the temporary computer
> password.
Couldn't get this to work.
>
> But it should not be required to enter the password of the OU admin on
> the machine to be joined!
It isn't.
>
> I think one can do this with msktutil --set-samba-secret for renewing
> host keytab and Samba's secret.tdb.
You need a group with the permissions to join computers set on the OU,
a user who is a member of this group and the users keytab. You only
need standard Unix and Samba tools.
>
> I recently wrote an ansible role...
2019 Nov 03
2
DC with outdated secrets
Dear list,
by mistake some script (msktutil) has updated machine password and keytab
for one of my DCs (samba-4.10.10). While I could restore the keytab
(/var/lib/samba/private/secrets.keytab) using samba-tool domain
exportkeytab, I fail to come up with a way to update the secrets file
(/var/lib/samba/private/secrets.ldb) with a new machine...
2019 Jan 11
2
Running off pre-created keytabs
...n Thu, 10 Jan 2019 16:23:06 +0100
> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> we'd like to provision new Samba servers (file sharing only) with the
>> system keytab. It will precreated by some other process (msktutil)
>> because we don't have direct access to a domain admin account. Is
>> there any degragation in functionality by not using "secrets and
>> keytab" and not doing "net ads join"?
>>
>> This is somewhat similiar to my question from 2017-11 [1] wh...
2016 Aug 30
2
set UPN / SPN from samba-tool.
2016-08-30 16:10 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Tue, 30 Aug 2016 15:58:13 +0200
> mathias dufresne via samba <samba at lists.samba.org> wrote:
>
> > And reading last mails comforts me in believing the filter used by
> > client side to retrieve user is not correct, that filter should use
> > SPN then you won't need to
2018 Feb 05
1
Using Samba AD for NFSV4 Kerberos servers and clients
...= false
validate = true
}
############## end /etc/krb5.conf #####################
Here's the command that I run to generate the keytab on the nfs server
(after properly configuring '/etc/samba/smb.conf':
#############
kinit Administrator at EXMAPLE.COM
rm -rf /etc/krb5.keytab;
msktutil --delegation --dont-expire-password \
--no-pac --computer-name server \
--enctypes 0x1F -b "OU=Services" \
-k /etc/krb5.keytab -h server.example.com \
-s nfs/server.example.com \
--upn nfs/server.example.com --verbose
rm -rf /etc/krb5.keytab
net ads join -k -UAdministrator
#############...
2019 Jan 11
2
Running off pre-created keytabs
...el via samba" <samba at lists.samba.org> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> we'd like to provision new Samba servers (file sharing only) with
>>>> the system keytab. It will precreated by some other process
>>>> (msktutil) because we don't have direct access to a domain admin
>>>> account. Is there any degragation in functionality by not using
>>>> "secrets and keytab" and not doing "net ads join"?
>>>>
>>>> This is somewhat similiar to my ques...
2019 Jan 11
3
Running off pre-created keytabs
...gt; wrote:
>>>>>
>>>>>> Hi folks,
>>>>>>
>>>>>> we'd like to provision new Samba servers (file sharing only) with
>>>>>> the system keytab. It will precreated by some other process
>>>>>> (msktutil) because we don't have direct access to a domain admin
>>>>>> account. Is there any degragation in functionality by not using
>>>>>> "secrets and keytab" and not doing "net ads join"?
>>>>>>
>>>>>> This...
2016 Aug 29
0
set UPN / SPN from samba-tool.
...“issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
/sn...
2016 Aug 29
1
set UPN / SPN from samba-tool.
...“issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
/sn...
2016 Dec 30
0
Error with samba update in debian.
...mba at lists.samba.org
> Onderwerp: Re: [Samba] Error with samba update in debian.
>
> On Thu, 29 Dec 2016 09:25:20 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > no thats not it
> >
> > samba-tool does not set upn but msktutil does set the upn.
> >
> > So an option for samba-tool to set upn would be nice...
> >
> >
> > Greetz
> >
> > Louis
>
> Yes it is !!
>
> From my point of view, squid is expecting an SPN, but seems to accept
> a UPN. Have you tried using the...