search for: tgs

...starttime: unset endtime: 2014-05-21T00:01:35 renew till: 2014-05-21T14:01:35 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40240 for ldap/hh16.hh3.site at HH3.SITE [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2014-05-20T14:01:35 starttime: 2014-05-20T14:01:35 endtime: 2014-05-21T00:01:35 renew till: 2014-05-21T14:01:35 Terminating connection - 'kdc_tcp...

...xx.x.xx Registered CORMAN<1c> with 127.0.0.2 on interface 127.255.255.255 Registered CORMAN<1c> with xx.xxx.x.x on interface xx.xxx.x.xx Registered CORMAN<00> with 127.0.0.2 on interface 127.255.255.255 Registered CORMAN<00> with xx.xxx.x.x on interface xx.xxx.x.xx Kerberos: TGS-REQ m639$@CORMANDOM.INT-CORMAN.BE from ipv4:xx.xxx.x.46:50990 for LDAP/admin01.cormandom.int-corman.be/cormandom.int-corman.be at CORMANDOM.INT-CORMAN.BE [renewable, forwardable] Kerberos: Searching referral for admin01.cormandom.int-corman.be Kerberos: Server not found in database: LDAP/admin0...

...starttime: unset endtime: 2014-05-21T00:01:35 renew till: 2014-05-21T14:01:35 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:40240 for ldap/hh16.hh3.site at HH3.SITE [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2014-05-20T14:01:35 starttime: 2014-05-20T14:01:35 endtime: 2014-05-21T00:01:35 renew till: 2014-05-21T14:01:35 Terminating connection - 'kdc_tcp...

...xx.x.xx Registered CORMAN<1c> with 127.0.0.2 on interface 127.255.255.255 Registered CORMAN<1c> with xx.xxx.x.x on interface xx.xxx.x.xx Registered CORMAN<00> with 127.0.0.2 on interface 127.255.255.255 Registered CORMAN<00> with xx.xxx.x.x on interface xx.xxx.x.xx Kerberos: TGS-REQ m639$@CORMANDOM.INT-CORMAN.BE from ipv4:xx.xxx.x.46:50990 for LDAP/admin01.cormandom.int-corman.be/cormandom.int-corman.be at CORMANDOM.INT-CORMAN.BE [renewable, forwardable] Kerberos: Searching referral for admin01.cormandom.int-corman.be Kerberos: Server not found in database: LDAP/admin0...

...127.0.0.2 on interface 127.255.255.255 > > Registered CORMAN<1c> with xx.xxx.x.x on interface xx.xxx.x.xx > > Registered CORMAN<00> with 127.0.0.2 on interface 127.255.255.255 > > Registered CORMAN<00> with xx.xxx.x.x on interface xx.xxx.x.xx > > Kerberos: TGS-REQ m639$@CORMANDOM.INT-CORMAN.BE from > > ipv4:xx.xxx.x.46:50990 for > > LDAP/admin01.cormandom.int-corman.be/cormandom.int- > > corman.be at CORMANDOM.INT-CORMAN.BE > > [renewable, forwardable] > > Kerberos: Searching referral for admin01.cormandom.int-corman.be &...

...xx.x.xx Registered CORMAN<1c> with 127.0.0.2 on interface 127.255.255.255 Registered CORMAN<1c> with xx.xxx.x.x on interface xx.xxx.x.xx Registered CORMAN<00> with 127.0.0.2 on interface 127.255.255.255 Registered CORMAN<00> with xx.xxx.x.x on interface xx.xxx.x.xx Kerberos: TGS-REQ m639$@CORMANDOM.INT-CORMAN.BE from ipv4:xx.xxx.x.46:50990 for LDAP/admin01.cormandom.int-corman.be/cormandom.int-corman.be at CORMANDOM.INT-CORMAN.BE [renewable, forwardable] Kerberos: Searching referral for admin01.cormandom.int-corman.be Kerberos: Server not found in database: LDAP/admin0...

...c generated ad DC promo. Overall no issues in the domain using kerberos so far (over 6 months now), also used SSO for apache so kerberos overall seems ok. Logs below (tried my best to trim down). Samba 4 log from DC that Host A contacted (one of 3 DC's in domain): Log level 5 Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 22:00:03.656232, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.X...

...OMAIN.TLD ?2020-10-30T03:00:16 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 ?2020-10-30T03:00:16 Requested flags: canonicalize, forwardable ?2020-10-30T03:00:16 TGS-REQ user at DOMAIN.TLD from IPv4:192.168.1.10 for cifs/domek at DOMAIN.TLD [canonicalize] ?2020-10-30T03:00:16 Searching referral for domek ?2020-10-30T03:00:16 Server not found in database: cifs/domek at DOMAIN.TLD: Unknown code hdb 3 ?2020-10-30T03:00:16 Failed building TGS-REP to IPv4:192.1...

...delegation should be setup differently (i.e. microsoft guidelines should be implemented differently for samba AD?). I tried with different DOMAIN ADMIN account on different host and exact same issue with same error in log (root at MYDOMAIN.COM.XYZ: No such entry in the database) * * Kerberos: TGS-REQ BMSRV2$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.8:57775 for kacper_wirski at MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 13:24:37.782732, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: samba_kdc_fetch: message2entry failed [2017/0...

...ed flags: renewable-ok, canonicalize, renewable, forwardable Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: TGS-REQ poe at STH.SOMEDOMAIN.SE from ipv4:10.101.1.98:49163 for LDAP/stockholm.sth.somedomain.se/sth.somedomain.se at STH.SOMEDOMAIN.SE [renewable, forwardable] Kerberos: TGS-REQ authtime: 2014-04-11T09:02:21 starttime: 2014-04-11T09:02:21 endtime: 2014-04-11T19:02:21 renew till: 2014-04-18T09:02:21 T...

...tarttime: unset endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable, forwardable Kerberos: TGS-REQ steve3 at HH3.SITE from ipv4:192.168.1.41:50790 for host/hh7.hh3.site at HH3.SITE [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:57:33 endtime: 2012-10-18T10:02:33 renew till: 2012-10-19T09:55:48 Kerberos: TGS-REQ steve3 at HH3...

...0000-0000-0000-0000. The domain, let's say "upn.example.com", doesn't match my Samba Realm, that would be "realm.com". What's happening here is during Kerberos pre-auth, it checks for 0000-0000-0000-0000 \@upn.example.com at REALM.COM which works fine. But during the TGS phase, it checks only for 0000-0000-0000-0000 at REALM.COM and this entry is missing in Kerberos. Log file shows this : [...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: PKINIT pre-authentication succeeded -- 0000-0000-0000-0000 \@upn.example.com at REALM.CO...

My OS Gentoo Linux Samba & krb5 version: app-crypt/heimdal-7.6.0? abi_x86_32 abi_x86_64 berkdb caps ipv6 libressl lmdb selinux ssl static-libs net-fs/samba-4.11.13-r1 abi_x86_64 acl addc addns ads client cups gpg json ldap pam profiling-data python python_single_target_python3_7 quota selinux syslog system-heimdal winbind My /etc/samba/smb.conf (testparm) Load smb config files from

...atabase access ???? in the AD DC since Samba 4.12. ?? * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since ???? Samba 4.9 by using an explicit database handle cache. ?? * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the ???? server name in a TGS-REQ. ?? * BUG 14818: Address flapping samba_tool_drs_showrepl test. ?? * BUG 14819: Address flapping dsdb_schema_attributes test. ?? * BUG 14841: Samba CI runs can now continue past the first error if ???? AUTOBUILD_FAIL_IMMEDIATELY=0 is set. ?? * BUG 14854: samldb_krbtgtnumber_available() loo...

...atabase access ???? in the AD DC since Samba 4.12. ?? * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since ???? Samba 4.9 by using an explicit database handle cache. ?? * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the ???? server name in a TGS-REQ. ?? * BUG 14818: Address flapping samba_tool_drs_showrepl test. ?? * BUG 14819: Address flapping dsdb_schema_attributes test. ?? * BUG 14841: Samba CI runs can now continue past the first error if ???? AUTOBUILD_FAIL_IMMEDIATELY=0 is set. ?? * BUG 14854: samldb_krbtgtnumber_available() loo...

...c generated ad DC promo. Overall no issues in the domain using kerberos so far (over 6 months now), also used SSO for apache so kerberos overall seems ok. Logs below (tried my best to trim down). Samba 4 log from DC that Host A contacted (one of 3 DC's in domain): Log level 5 Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 22:00:03.656232, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.X...

.../archive/samba-technical/2013-April/091429.html I tried to run the cyrus-imap server on a member server, which has successfuly 'net ads join'ed and authenticate user with winbindd without problems. I followed the method written in the above mail, but the samba DC (KDC?) does not respond to TGS request. I created a user and an SPN as in the mail above, # samba-tool user create --random-password imap-nowhere # samba-tool spn add imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere using samba-tool, I could verifiy the SPN exists. # samba-tool spn list imap-nowhere I gene...

...::/run/user/1000/krb5cc/tkt with result: 0/Success [14620] 1523708816.549244: Starting with TGT for client realm: aaptel at FOO.COM -> krbtgt/FOO.COM at FOO.COM [14620] 1523708816.549249: Requesting tickets for cifs/foo.com at FOO.COM, referrals on [14620] 1523708816.549289: Generated subkey for TGS request: aes256-cts/8C96 [14620] 1523708816.549350: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [14620] 1523708816.549445: Encoding request body and padata into FAST request [14620] 1523708816.549489: Sending request (1552 bytes...

...plsrv_notify_schedule(5) scheduled for: Wed Feb 5 22:13:02 2014 MYT Kerberos: AS-REQ AMTBSERVER$@KL01.AMTB-M.ORG.MY from ipv4: 192.168.11.20:44354 for krbtgt/KL01.AMTB-M.ORG.MY at KL01.AMTB-M.ORG.MY Kerberos: No preauth found, returning PREAUTH-REQUIRED -- AMTBSERVER$@ KL01.AMTB-M.ORG.MY Kerberos: TGS-REQ AMTBSERVER$@KL01.AMTB-M.ORG.MY from ipv4: 192.168.11.20:33877 for krbtgt/KL01.AMTB-M.ORG.MY at KL01.AMTB-M.ORG.MY[forwarded, forwardable] Kerberos: TGS-REQ authtime: 2014-02-05T22:12:58 starttime: 2014-02-05T22:12:58 endtime: 2014-02-06T08:12:58 renew till: unset Kerberos: TGS-REQ AMTBSERVER$@K...

...rror "The account is not authorized to log in from this station." Using the IP address does work however. The clients are configured to allow no smb signing and NTLMv1, I think I have all the security settings covered. I noticed while looking at wireshark though that the client is doing TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels very odd to me since there is no such SPN cifs/nt4test on the network. 'setspn -Q cifs/nt4test' confirms this. I've also noticed that the MS docs state: <94> Section 3.2.5.2: <http://msdn.microsoft.com/en-u...