search for: tkt

...->data); + memset(reply, 0, sizeof(*reply)); + } if (problem) { if (authctxt->krb5_ctx != NULL) --- openssh-3.4p1/auth1.c.krb Fri Jun 21 08:21:11 2002 +++ openssh-3.4p1/auth1.c Tue Jul 23 15:15:43 2002 @@ -133,15 +133,23 @@ #endif /* KRB4 */ } else { #ifdef KRB5 - krb5_data tkt; + krb5_data tkt, reply; tkt.length = dlen; tkt.data = kdata; - if (auth_krb5(authctxt, &tkt, &client_user)) { + if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), &qu...

...y.c:1423(bkrp_do_retrieve_server_wrap_key) Unable to fetch value for secret BCKUPKEY_34847c15-efd9-4430-ba82-bf7d3160e9e1 , are we an undetected RODC? This is the smb.conf of my server : [global] bind interfaces only = yes interfaces = 10.5.1.26 127.0.0.1 workgroup = TKT netbios name = DC realm = TKT.COM server role = active directory domain controller dns forwarder = 10.5.1.1 ldap admin dn = cn=Administrator,cn=Users,dc=tkt,dc=com idmap_ldb:use rfc2307 = Yes server string = PDC server hostname lookups...

...case you need #51 0xb7ff5a16 in _dl_map_object_deps () from /lib/ld-linux.so.2 #52 0x081d3b3a in smb_panic (why=0x82a173d "internal error") at lib/util.c:1353 #53 0x081c12d8 in fault_report (sig=11) at lib/fault.c:41 #54 <signal handler called> #55 0x080e3c57 in get_auth_data_from_tkt (auth_data=0xbfffea90, tkt=0x8387ba0) at libsmb/clikrb5.c:188 #56 0x0823ca25 in ads_verify_ticket (realm=0x835acc0 "LOCALDOMAIN", ticket=0xbfffeba0, principal=0xbfffdce4, auth_data=0xbfffea90, ap_rep=0xbfffea80, session_key=0xbfffea50) at libads/kerberos_verify.c:335 #57 0x080abfe6 in...

...my DC produces this: Ticket cache: FILE:/tmp/dhcp-dyndns.cc Default principal: dhcpduser at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 11/01/19 10:12:50 11/01/19 20:12:50 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 11/01/19 10:12:50 11/01/19 20:12:50 DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac And running 'ktutil' produces this: root at dc4:~# ktutil ktutil: rkt...

...es {18 17 16 23}) 192.168.0.107: NEEDED_PREAUTH: Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN, Additional pre-authentication required Jul 27 23:53:09 pathfinder krb5kdc[6597](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731989, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for krbtgt/POTTERNET.LAN at POTTERNET.LAN Jul 27 23:53:09 pathfinder krb5kdc[6597](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.107: ISSUE: authtime 1532731989, etypes {rep=18 tkt=18 ses=18}, Administrator at POTTERNET.LAN for ldap/pathfinder.potterne...

...kup_kdc = true default_realm = FOO.COM [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = FILE:/var/log/krb5/def.log * run kinit aaptel at FOO.COM, type pw, ok * klist output: Ticket cache: DIR::/run/user/1000/krb5cc/tktEOK9Bs Default principal: aaptel at FOO.COM Valid starting Expires Service principal 04/14/2018 13:49:22 04/14/2018 23:49:22 krbtgt/FOO.COM at FOO.COM renew until 04/15/2018 13:49:21 At this point I think it should work, but I get: $ smbclient...

We have a samba 4.1.9 as a active directory domain controller and a police to change the password every 42 days. When our users change their domain login password , their Outlook will prompt for their email password. Our active directory domain is @abc.com and our email is @xyz.com. Our email system is Qmail , so the email password and domain login password are stored on different system. I

...hcp-dyndns.cc >> Default principal: dhcpduser at SAMDOM.EXAMPLE.COM >> >> Valid starting    Expires            Service principal >> 11/01/19 10:12:50  11/01/19 20:12:50  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>     renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> 11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM >>     renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac >> >> And running 'ktutil' produces thi...

...t/mydomain.com at mydomain.com, Additional pre-authentication required Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19 Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18 tkt=18 ses=18}, win10$@mydomain.com for krbtgt/mydomain.com at mydomain.com Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): closing down fd 19 Jul 03 10:12:01 dc1.mydomain.com krb5kdc[1074](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 192.168.206.101: ISSUE: authtime 1530605521, etypes {rep=18...

...t cache: FILE:/tmp/dhcp-dyndns.cc > Default principal: dhcpduser at SAMDOM.EXAMPLE.COM > > Valid starting    Expires            Service principal > 11/01/19 10:12:50  11/01/19 20:12:50  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >     renew until 12/01/19 10:12:50, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 11/01/19 10:12:50  11/01/19 20:12:50  DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM >     renew until 12/01/19 10:12:50, Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > And running 'ktutil' produces this: > > ro...

...ru for krbtgt/example .ru at example.ru, Additional pre-authentication required мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): closing down fd 20 мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.2.1.12: ISSUE: authtime 1521715436, etypes {rep=18 tkt=18 ses=18}, vas.lah at example.ru for krbtgt/example.ru at example.ru мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): closing down fd 20 мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 10.2.1.12: ISSUE: authtime 1521715436, etypes {rep=18 tkt=18 ses...

...incipal: dhcpduser at SAMDOM.EXAMPLE.COM > >> > >> Valid starting    Expires            Service principal > >> 11/01/19 10:12:50  11/01/19 20:12:50 > >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > >>     renew until 12/01/19 10:12:50, Etype (skey, tkt): > >>aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >> 11/01/19 10:12:50  11/01/19 20:12:50 > >> DNS/dc4.samdom.example.com at SAMDOM.EXAMPLE.COM > >>     renew until 12/01/19 10:12:50, Etype (skey, tkt): > >>arcfour-hmac, arcfour-hmac > >&g...

Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt I have added the host principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the client by using ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keytab. "hostname -f" gives me t...

...lated to the SE privileges fail. This is what I get on the Win7-PC (translated from dutch) : The given server can't execute the requested operation. So the question is : where do I look to detect what's going wrong ? Thanks for any pointers. P.S. the Kerberos test outputs : Etype (skey, tkt): arcfour-hmac, arcfour-hmac while the "provision" version outputs : Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Is this related to the failure ? Regards, Koenraad.

...th ssh and sssd in a samba4 ad environment. If I logon a linux client everything works fine. When entering klist I'm able to see my ticket. When I try to connect/logon to another linux client with ssh it is possible, but klist shows: klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found. So the ticket cache is not created during logon. I'm using sssd with the following sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = $DOMAINNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_keyta...

...i ldap://serveur.radiodjiido.nc base DC=radiodjiido,DC=nc map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID sasl_mech GSSAPI sasl_realm RADIODJIIDO.NC krb5_ccname /tmp/nslcd.tkt checking that k5start is well running: ps ax | grep k5 -> 2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt klist -> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700 Default principal: serveur at RADIODJIIDO.NC Valid starting Expires...

...@CATHQ.COM.TW net ads join .... Executing "#klist -e" result: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@CATHQ.COM.TW Valid starting Expires Service principal 02/12/03 16:08:32 02/13/03 02:07:26 krbtgt/CATHQ.COM.TW@CATHQ.COM.TW Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 02/12/03 16:07:27 02/13/03 02:07:26 ldap/catad@CATHQ.COM.TW Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 02/12/03 16:07:27 02/13/03 02:07:26 kadmin/changepw@CATHQ.COM.TW Etype (skey, tkt): DES cbc mode with...

...st -e Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: Administrator at CB.CLIFFBELLS.COM Valid starting Expires Service principal 03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/ CB.CLIFFBELLS.COM at CB.CLIFFBELLS.COM renew until 03/22/2016 00:19:41, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 itwerks at cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM --dns-backend=SAMBA_INTERNAL Finding a writeable DC for domain 'cb.cliffbells.com' Found DC filer.cb.cliff...

...-server/ovirt-agent/ovirt-agent.rb:283:in `new' /usr/share/ovirt-server/ovirt-agent/ovirt-agent.rb:283 And in tail /var/log/krb5kdc.log Oct 09 17:50:34 management.ovirt.priv krb5kdc[1902](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.50.1: ISSUE: authtime 1255103434, etypes {rep=18 tkt=18 ses=18}, qpidd/management.ovirt.priv at OVIRT.PRIV for krbtgt/OVIRT.PRIV at OVIRT.PRIV Oct 09 17:50:48 management.ovirt.priv krb5kdc[1902](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.50.1: NEEDED_PREAUTH: libvirt/management.ovirt.priv at OVIRT.PRIV for krbtgt/OVIRT.PRIV at OVIRT.PRIV, A...

...ap-options: 00000000 0... .... = reserved: False .0.. .... = use-session-key: False ..0. .... = mutual-required: False ticket tkt-vno: 5 realm: TESTDOMAIN.LAN sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: krbtgt...