search for: principally

Hello samba team ! I have some NFS4 exports managed by a Samba's Kerberos realm. All the standard user accesses work fine. I try now to setup an NFS4 root access to administer the share from another server (the two host are DC, one PDC and one SDC). But I have trouble understanding the kerberos/principals layer. ------------ Actually I do ------------- -> on the server I create an nfs

Hello, Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. For example, I have multiple hosts that all serves as monitoring server, I would like to trust only these hosts, so I enrol a certificate for these using "monitoring" principal, so I can connect only to these. At first I thought we can do Match statement at ssh_config, however, the Match is being

Thanks you very much Louis ! I have tried your setup and I can't mount the share neither from the server itself or the client. On /var/log/syslog I have : rpc.gssd : ERROR : no credentials found for connecting to server myserver This is because the machine principal is not present in the keytab : $ klist -k 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM 1

Hai Baptiste, I re-checked my setup and your totaly correct. I can not enter the nfsV4 mounted directory as root. What i've added in idmap.conf Is this : Domain = your_DNS_domain.tld [Translation] Method = nsswitch And i found this link. http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu im testing this now. Greetz, Louis >

Hai, I had it the other way around. Only root acces. I have scripted my setup and tested on debian. Look here https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ setup-nfsv4-kerberos.sh If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. If you can read the bash script maybe you see something you missed. When i write as "root" its root and

Dear all I'm unable to find an example of extracting the rotated scores of a principal components analysis. I can do this easily for the un-rotated version. data(mtcars) .PC <- princomp(~am+carb+cyl+disp+drat+gear+hp+mpg, cor=TRUE, data=mtcars) unclass(loadings(.PC)) # component loadings summary(.PC) # proportions of variance mtcars$PC1 <- .PC$scores[,1] # extract un-rotated scores of

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

Hi, I am new to samba and Kerberos so please be gentle! I have built a samba AD DC (v4.3.5) on Centos Linux from source and am trying to add a service principal and generate a keytab containing the principal. However the principal entry does not appear in the keytab. Here's what I did: [root at bones ~]# samba-tool spn add GEMSTONE64/bunk.gemtalksystems.com at

Hi all, Last week I noticed that the CertChecker in the Go implementation of x/crypto/ssh seems to be doing host principal validation incorrectly and filed the following bug: https://github.com/golang/go/issues/20273 By default they are looking for a principal named "host:port" inside of the certificate presented by the server, instead of just looking for the host as I believe OpenSSH

I am running a PCA, but would like to rotate my data and limit the number of factors that are analyzed. I can do this using the "principal" command from the psych package [principal(my.data, nfactors=3,rotate="varimax")], but the issue is that this does not report scores for the Principal Components the way "princomp" does. My question is: Can you get an

Darren, We have systems which are multihomed for virtualisation, but run only one sshd. You can connect to any IP-address and should be authenticated with gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the server has to have an entry for this in the keytab and has to select the right key by determining the hostname from the connection IP-address. There is no other way

Ok, now its clear to me. We need to set UMICH_SCHEMA in idmap.conf Read : http://linux.die.net/man/5/idmapd.conf Working on it now. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 9 oktober 2015 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos

Hello, I need to do a principal component analysis with EQUAMAX-rotation. Unfortunately the function principal() I use normally for PCA does not offer this rotation specification. I could find out that this might be possible somehow with the package GPArotation but until now I could not figure out how to use this in the principal component analysis. Maybe someone can give an example on how to do

Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do "samba_dnsupdate --all-names" it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY

Hi, Users who are interested in certificate authentication might be interested in this change: > - djm at cvs.openbsd.org 2010/05/07 11:30:30 > [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c key.c] > [servconf.c servconf.h sshd.8 sshd_config.5] > add some optional indirection to matching of principal names listed > in certificates. Currently, a

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could

Hi, When I have a service on a client that tries to use kerberos and I get errors such as these in the log.samba file: Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Does this mean that the kerberos authentication system is looking for the principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain or in the

Hi Rowland, Thanks for your help again. I understand the difference between the UPN (User Principal Name) and the SPN (Service Principal Name). But in your second exemple, you never mention the SPN, neither in the keytab export or in the kinit command. Does that means that there is no kinit possible using the SPN? So I am worried of what is the benefice of adding a SPN to a user instead of

On Wed, May 17, 2017 at 2:46 AM, Damien Miller <djm at mindrot.org> wrote: > On Mon, 15 May 2017, Adam Eijdenberg wrote: >> https://github.com/golang/go/issues/20273 >> >> By default they are looking for a principal named "host:port" inside >> of the certificate presented by the server, instead of just looking >> for the host as I believe OpenSSH