search for: preferred_enctyp

Hello, I have different Sites in my domain and want the different members to use the respective domain controller of their site. I can't get this to work right. I have a member that is in site B but executing "net ads info" outputs the DC of site A as active. I read about enabling "winbind_krb5_locator", but it is already located in

....EXAMPLEAD. > > > [libdefaults] > default_realm = AD.EXAMPLE.COM > default_tgs_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 RC4-HMAC > default_tkt_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 RC4-HMAC > preferred_enctypes = aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 RC4-HMAC > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > AD.EXAMPLE.COM = { > kdc = 192.168.1.1 > kdc = 192.168.1.2 > } >...

...onfusing to me since it works perfectly on my SLES 9 server and I copied the configuration from there. Thanks, Ron >From krb5.conf: [libdefaults] default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_realm = NA.UIS.UNISYS.COM dns_lookup_kdc = true [realms] NA.UIS.UNISYS.COM = { kdc = 192.63.225.67:88 admin_server = 192.63.225.67:749 } EU.UIS.UNISYS.COM = { kdc = 192.61.146...

...nf.MYDOMAIN [libdefaults] default_realm = MYDOMAIN.COM default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 dns_lookup_realm = false [realms] MYDOMAIN.COM = { kdc = 192.168.x.y kdc = 192.168.x.z } #:/usr/local/samba/var/lock/smb_krb5# I would...

...> default_realm = INTRANET.VIPCO.DE > default_tgs_enctypes = aes256-cts-hmac-sha1-96 >aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 >aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > preferred_enctypes = aes256-cts-hmac-sha1-96 >aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > >[realms] > INTRANET.VIPCO.DE = { > kdc = 192.168.0.197 > kdc = 192.168.122.1 > } > >Doesn't that mean 192.168.0.197 is the primary kdc? >1...

...dc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.SG default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 dns_lookup_realm = false dns_lookup_kdc = false forwardable = true renewable = true ticket_lifetime = 365d renew_lifetime = 1000d [realms] TEST.SG = { kdc = 4ecapsvsg6.test.sg:88 admin_server = 4ecapsvsg...

...og admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CORP.OBSCURED.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] CORP.OBSCURED.COM = { kdc = dmc01.corp.obscured.com kdc = dmc02.corp.obscured.com default_domain = CORP.OBSCURED.COM kdc = dmc03.corp.obscured.com } [domain_realm] .example.com = CORP.OBSCURED.COM example.com = CORP.OBSCURED.COM [kdc] pro...

...Contents: [libdefaults] default_realm = INTRANET.VIPCO.DE default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 [realms] INTRANET.VIPCO.DE = { kdc = 192.168.0.197 kdc = 192.168.122.1 } Doesn't that mean 192.168.0.197 is the primary kdc? 192.168.122.1 should be primary kdc for tha...

...nstance, the 'enc_types...' lines do not match. In /var/lib/samba/smb_krb5/krb5.conf.MYDOMAIN I have [libdefaults] default_realm = MYDOMAIN.LOCAL default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 And in /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.LOCAL clockskew = 300 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc I created the /etc...

...sshd[74473]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'user1') Auto generated krb5.conf file: [libdefaults] default_realm = SAMPLE.NET default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 [realms] SAMPLE.NET = { kdc = xx.xx.xx.xx kdc = xx.xx.xx.xx } smb.conf file: [global] server signing = auto lanman auth = no workgroup = SAMPLE server string = Test host log file = /var/log/samba/%m.log max log size = 50 security = ADS passdb backend = tdbsam...

...nnect to other kdc ? cat /etc/krb5.conf : [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_realm = RUSSIA.GLOBAL.NETWORK.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] RUSSIA.GLOBAL.NETWORK.LOCAL = { kdc = 101.17.120.23:88 admin_server = 101.17.120.23:749 kpasswd_server = 1...

...when i am already mounting a file share on the ADS domain controller using ntlmv2i? The answer is in "klist -e" and /var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME: default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 Deleted the samba cache and added the following to /etc/krb5.conf and it worked once to join the domain and logon a CentOS box with ADS credentials. i could even map a drive letter from our Win2003 box to the CentOS share using ADS credentials. default_tgs_en...

...dc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > default_keytab_name = /etc/krb5.keytab > default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > pkinit_kdc_hostname = <DNS> > pkinit_anchors = DIR:/var/lib/pbis/trusted_certs > pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> > pkinit_eku_checking = kpServerAuth > pkinit_win2k_require_binding...

...generated cached entries can be > altogether different than /etc/krb5.conf ! I didn't know about the cached version. here it is : [libdefaults] default_realm = EXAMPLE.DOM default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 [realms] EXAMPLE.DOM = { kdc = 10.0.0.2 kdc = 10.0.0.1 kdc = 10.0.0.1 } I couldn't understand the logic in it. So I played with krb5.conf and smb.conf a little. It seems that this cached file, even when delete...

...fetime = 24h >> renew_lifetime = 7d >> forwardable = yes >> default_keytab_name = /etc/krb5.keytab >> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >> pkinit_kdc_hostname = <DNS> >> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >> pkinit_eku_checking = kpServerAuth >> pkinit_wi...

Hi all! Does samba support AES encryption for use with Win2008 controller domains? If so, why automatically generated krb5.conf still contains only RC4-HMAC DES-CBC-CRC DES-CBC-MD5? Also, why this file contains "preferred_enctypes" parameter which I can't find in "man krb5.conf"? And last question: would samba use system krb5.conf if I set "create krb5 conf=no"? -- Vladimir Vassiliev

...nf.MYDOMAIN [libdefaults] default_realm = MYDOMAIN.COM default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5 dns_lookup_realm = false [realms] MYDOMAIN.COM = { kdc = 192.168.x.y kdc = 192.168.x.z } #:/usr/local/samba/var/lock/smb_krb5# I would...

I have setup SAMBA to authenticate to a 2003 (probably SP1) domain and I am having two very distinct problems. I have searched the archives, but each time I see this question is ask I never see any answers and I need an answer or I am going to have to shut this off. I work in the Kentucky school systems and we have one AD forest containing one domain for each county in the state. That totals up

Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf

...; renew_lifetime = 7d >>> forwardable = yes >>> default_keytab_name = /etc/krb5.keytab >>> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >>> pkinit_kdc_hostname = <DNS> >>> pkinit_anchors = DIR:/var/lib/pbis/trusted_certs >>> pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL> >>> pkinit_eku_checking = kpServerAuth &g...