search for: s4u

Hello, Does samba support the use of S4U? What do we need to configure in SAMBA or krb5 to support getting a ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1 We are getting the following error: decode_pac_data: Name in PAC [username@something1.something2.realmname] does not match principal name in ticket The tic...

does SAMBA4 support Kerberos S4U tokens? Background: I am trying to get OpenSSH for windows to work on machines joined to our SAMBA4 domain We are running Samba 4.7.3-Debian on Debian 9 When attempting to SSH in to a windows client using public key credentials for a domain user it fails. When attempting to SSH into a windows cl...

...account is a kerberos login which requires > either Username and Password, or possibly PKINIT with a certificate. > None of them can work with just a public key. > > Norbert > > > On 11.06.2018 15:56, Taylor Hammerling via samba wrote: > > does SAMBA4 support Kerberos S4U tokens? > > > > Background: > > I am trying to get OpenSSH for windows to work on machines joined > > to our SAMBA4 domain > > We are running Samba 4.7.3-Debian on Debian 9 > > > > When attempting to SSH in to a windows client using public key > > cre...

Seteuid now creates user token using S4U. We don't create a token from scratch anymore, so we don't need the "Create a process token" privilege. The service can run under SYSTEM again. --- contrib/cygwin/ssh-host-config | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/contrib/cygwin...

...samba-4.9.1? I tried to match a Windows Server 2016 ADFS v3 with a samba-4.9.1 AD DC. The web form authentication allow a user to insert username and password, the ADFS correctly recognizes wrong password, but when password is correct, ADFS fails on the redirect step with a non-diagnostic error: S4U Logon for user with upn 'user at domain' threw the following exception: 'Insufficient system resources exist to complete the requested service' So, I was wondering if my naive attempt is architecturally flawed before delving into the issue more, thank you, franz

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...cks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabl...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...formation for the GSS user account MYDOM.TEST\nfs/nfsclient.mydom.test. Check that the user account MYDOM.TEST\nfs/nfsclient.mydom.test is valid and meets als configured security policies. Ther may be additional information in the Windows Security event log. MSV Status: 0xC000009A, Substatus: 0x0 S4U Status: 0xC000006D, Substatus: 0x0 " The security log reports: "An account failed to log on. Subject: Security ID: SYSTEM Account Name: WIN12$ Account Domain: MYDOM Logon ID: 0x3E7 Logon Type:...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support with MIT Kerberos 1.20 ------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ?...

...upgrading samba file server. o Alexander Bokovoy <ab at samba.org> * BUG 14359: s3: Pass DCE RPC handle type to create_policy_hnd. o Isaac Boukris <iboukris at gmail.com> * BUG 14155: Fix uxsuccess test with new MIT krb5 library 1.18. * BUG 14342: mit-kdc: Explicitly reject S4U requests. o Anoop C S <anoopcs at redhat.com> * BUG 14352: dbwrap_watch: Set rec->value_valid while returning nested share_mode_do_locked(). o Amit Kumar <amitkuma at redhat.com> * BUG 14345: lib:util: Fix smbclient -l basename dir. o Volker Lendecke <vl at samba....

...upgrading samba file server. o Alexander Bokovoy <ab at samba.org> * BUG 14359: s3: Pass DCE RPC handle type to create_policy_hnd. o Isaac Boukris <iboukris at gmail.com> * BUG 14155: Fix uxsuccess test with new MIT krb5 library 1.18. * BUG 14342: mit-kdc: Explicitly reject S4U requests. o Anoop C S <anoopcs at redhat.com> * BUG 14352: dbwrap_watch: Set rec->value_valid while returning nested share_mode_do_locked(). o Amit Kumar <amitkuma at redhat.com> * BUG 14345: lib:util: Fix smbclient -l basename dir. o Volker Lendecke <vl at samba....

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support now also with MIT Kerberos 1.20 ---------------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability,...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support now also with MIT Kerberos 1.20 ---------------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability,...

...Samba to remove the old and insecure SMB1 protocol from their products. Note that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. Bronze bit and S4U support now also with MIT Kerberos 1.20 ---------------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability,...