Displaying 20 results from an estimated 21 matches for "pkinit_anchor".
Did you mean:
pkinit_anchors
2023 Jul 14
1
Samba 4 AD SmartCard Authentication Problem
...../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: PKINIT request but PKINIT not enabled |
Is there another Trigger to enable pkinit under Samba AD? Thats my
krb5.conf:
|[libdefaults] default_realm = TEST.EXAMPLE.DE dns_lookup_realm = false
dns_lookup_kdc = true pkinit_anchors =
FILE:/var/lib/samba/private/tls/ca.pem [appdefaults] pkinit_anchors =
FILE:/var/lib/samba/private/tls/ca.pem [realms] TEST.EXAMPLE.DE = {
default_domain = test.example.de pkinit_require_eku = true }
[domain_realm] dc0 = TEST.EXAMPLE.DE [kdc] enable-pkinit = yes
pkinit_identity =
FILE:/var/...
2023 Nov 02
2
Issues with AD trusts and UID/GID ranges
...rdns = false
default_realm = CUSTOMER.TLD
default_ccache_name = KEYRING:persistent:%{uid} [realms]
CUSTOMER.TLD = {
kdc = ad.customer.tld
admin_server = ad.customer.tld
default_domain = customer.tld
pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
pkinit_cert_match = <KU>digitalSignature
pkinit_kdc_hostname = ad.customer.tld
}
CORPORATE.TLD = {
kdc = ad.corporate.tld
admin_server = ad.corporate.tld...
2020 Nov 19
1
Smartcard logon
...read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/svitla3.room/scripts
> read only = No
> krb5.conf
>
> [libdefaults]
> default_realm = SVITLA3.ROOM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
>
> [appdefaults]
> pkinit_anchors = FILE:/var/lib/samba/private/tls/ca.pem
>
> [realms]
> SVITLA3.ROOM = {
> pkinit_require_eku = true
> }
>
> [kdc]
> enable-pkinit = yes
>...
2023 Jan 05
1
Question about KDC Resolution with Samba
...as well
includedir /etc/krb5.conf.d/
includedir /etc/krb5.conf.d
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = WGNAME.AD.MYCORP.COM
dns_lookup_kdc = true
[realms]
WGNAME.AD.MYCORP.COM = {
}
[domain_realm]
wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
.wgname.ad.mycorp.com = WGNAME.AD.MYCORP.COM
Thanks,
Jim Br...
2016 Jun 08
1
keytabs basics linux <=> AD ?
...p_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
PRIVATE.AAA.PRIVATE.DOM = {
kdc = swir.private.aaa.private.dom:88
master_kdc = swir.private.aaa.private.dom:88
admin_server = swir.private.aaa.private.dom:749
default_domain = private.aaa.private.dom
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
AAA.PRIVATE.DOM = {
kdc = win-srv.aaa.private.dom:88
domain_server = wins-rv1.aaa.private.dom:749
admin_server = win-srv1.private.aaa.private.dom
}
[domain_realm]
.private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
private.aaa.private.dom = PRIVATE.AAA.PRI...
2015 Jan 07
2
Use Samba with ACL for read Active Directory and set Permissions via it.
...5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
My krb5.conf is:
[libdefaults]
defa...
2015 Jan 09
4
Use Samba with ACL for read Active Directory and set Permissions via it.
...fault_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
&...
2015 Jan 06
2
Use Samba with ACL for read Active Directory and set Permissions via it.
...es = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>>> pkinit_kdc_hostname = <DNS>
>>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>>> pkinit_eku_checking = kpServerAuth
>>> pkinit_win2k_require_binding = false
>>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>>
>...
2015 Jan 07
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...lt_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
and removed "krb5.keytab" too. You told me that my doma...
2015 Jan 09
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
My krb5.conf is:
[libdefaults]
defa...
2013 Oct 17
1
Authenticating sudo with ipa.
...LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LOCAL = {
kdc = 192-168-0-100.local:88
master_kdc = 192-168-0-100.local:88
admin_server = 192-168-0-100.local:749
default_domain = 192-168-0-100.local
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.192-168-0-100.local = LOCAL
192-168-0-100.local = LOCAL
.local = LOCAL
local = LOCAL
2015 Jan 19
0
Did you get my previous email? Not Spam.
...gt; # default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> # default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> # preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> # pkinit_kdc_hostname = <DNS>
> # pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> # pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> # pkinit_eku_checking = kpServerAuth
> # pkinit_win2k_require_binding = false
> # pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
>
> +++++++++++++++++++++++++...
2015 Jan 12
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...fault_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
&...
2015 Jan 10
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...fault_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
> My krb5.conf is:
&...
2015 Jan 05
2
Use Samba with ACL for read Active Directory and set Permissions via it.
...5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
> [realms]
> EXAMPLE.COM = {
> kdc...
2023 Jan 08
1
Question about KDC Resolution with Samba
...[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_ccache_name = KEYRING:persistent:%{uid}
> default_realm = WGNAME.AD.MYCORP.COM
It might be set as the default realm, but on this machine (at present)
it is wrong.
> dns_lookup_kdc = true
>
> [realms]
> WGNAME.AD.MYCORP.COM...
2015 Jan 05
2
Use Samba with ACL for read Active Directory and set Permissions via it.
...fault_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
>> [realms]
>&...
2015 Jan 05
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...lt_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server =...
2015 Jan 05
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...5.keytab
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
> pkinit_kdc_hostname = <DNS>
> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
> pkinit_eku_checking = kpServerAuth
> pkinit_win2k_require_binding = false
> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>
> [realms]
> EXAMPLE.COM = {
> kdc...
2015 Jan 06
0
Use Samba with ACL for read Active Directory and set Permissions via it.
...fault_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>> pkinit_kdc_hostname = <DNS>
>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
>> pkinit_eku_checking = kpServerAuth
>> pkinit_win2k_require_binding = false
>> pkinit_identities = PKCS11:/opt/pbis/lib64/libpkcs11.so
>>
>> [realms]
>&...