similar to: GSSAPI credentials deletion

Louis, could you take a look on my case again? I am not sure that the problem is in incorrect groups. Only trusted credentials don't work. Have you any idea what the reason is? On Mon, 13 Jul 2020 at 19:50, Yakov Revyakin <yrevyakin at gmail.com> wrote: > Some more details. Below is what I have during joining Linux (Ubuntu > 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is

In 3.7.1p2, the sshd_config manpage talks about GSSAPICleanupCredentials, while servconf.c uses GSSAPICleanupCreds. Here is a patch: --- openssh-3.7.1p2/servconf.c.orig 2003-12-10 10:43:52.000000000 -0200 +++ openssh-3.7.1p2/servconf.c 2003-12-10 10:44:13.000000000 -0200 @@ -310,10 +310,10 @@ { "afstokenpassing", sUnsupported }, #ifdef GSSAPI {

Hai, I dont use trusts myself, this is what i see. Lets take small steps here. First of all, why does the DOMAIN contains/shows a dot in it. ( i think its a wrong setting in sssd, but i dont know sssd ) I know this is one of your REALMs and not the domain. I refer to : https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

Hi, I am doing some kerberos testing with samba4 using ssh. I have setup samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and active directory seems to be working both with Windows and Linux clients. ssh unfortunately is not kerberos authenticating via GSSAPI. The client krb5.conf contains this: ===================================================== [libdefaults]

Hi, I'm trying to use the GSSAPIDelegateCredentials function to forward my kerberos 5 tickets. Authentication with GSSAPI/Kerberos 5 works fine, I can log in to the server when I have valid tickets on my client. But when I turn on GSSAPIDelegateCredentials I get "Connection reset by peer" at the client side. At the server side, I have been able to see that the user process gets a

http://bugzilla.mindrot.org/show_bug.cgi?id=958 Summary: patch to support GSI GSSAPI mechanism Product: Portable OpenSSH Version: 3.9p1 Platform: All URL: http://grid.ncsa.uiuc.edu/ssh/ OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Miscellaneous

http://bugzilla.mindrot.org/show_bug.cgi?id=944 Summary: ssh_config missing default configuration values for GSSAPI Product: Portable OpenSSH Version: 3.9p1 Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-bugs at

Some more details. Below is what I have during joining Linux (Ubuntu 20.04) to the SVITLA3 domain. SVITLA3 (Samba) is trusting, APEX (AD) is trusted. SVITLA3 has *administrator *and *test01 *users, APEX has *administrator *and *jake *users. test01 - 20000:20000 (uidNumber:gidNumber) jake - 10000:10000 You can see some delay in some places - I marked them bold. It looks like DNS timeouts. The

I am trying to transition several HP/UX 11i (PA/RISC) servers from ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the GSSAPI include files: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\"

Hi guys While debugging a GSSAPI memory allocation problem not related to OpenSSH, I found a memory leak in OpenSSH when storing forwarded GSSAPI credentials resulting in a growing process segment for each connection that uses GSSAPI credentials forwarding. What happens is the following: In the privileged parent, we are calling ssh_gssapi_storecreds() which itself calls

https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Summary: Memory leak caused by forwarded GSSAPI credential store Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at

So I am in step 10 of the samba4 howto (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be current enough for this. In it we are to add tkey-gssapi-credential "DNS/samdom.example.com"; tkey-domain "SAMDOM.EXAMPLE.COM"; to /etc/bind/named.conf.options. Since my test domain is test.domain.com,

I try to get Samba 4 with ssh running. I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line. --- kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]" "[:upper:]"`\$ rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING --- when i understand correct he uses the domain controller service principle to connect to the

I can suggest a few things. krb5.conf ( if you use nfsv4 with kerberized mounts _ [libdefaults] ignore_k5login = true in But, it does not look like it in you logs your useing kerberized mounts. Im missing in SSHD_config : UseDNS yes And the defaults : # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes Are sufficient for a normal ssh kerberized login. Optional,

Hi, thanks for your hints. DNS, /etc/resolf.conf, /ets/hosts seem to be correct. I'm able to do a kerberized ssh with a user from subdom2.subdom1.example.de (testuser at SUBDOM2.SUBDOM1.EXAMPLE.DE) But I'm not able to do the same with a user from example.de (user1 at EXAMPLE.DE). -- Regards, Andreas Am 01.11.2017 um 10:51 schrieb L.P.H. van Belle via samba: > I can suggest a few

Thanks for the prompt reply! > I did see that you are using Administrator, and thats the problem. > Administrator is mapped to root ( most of the time ), > if you assigned Administrator UID = 0 then you have a problem, because only root = uid 0. > > Never ever give Administrator a UID/GID I am using tdb backend. It mapped administrator account to 12000:10000. > So try again

http://bugzilla.mindrot.org/show_bug.cgi?id=928 Summary: Kerberos/GSSAPI authentication does not work with multihomed hosts Product: Portable OpenSSH Version: -current Platform: Other URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=108008882620573 OS/Version: All

Hi all, I'm really struggling with getting Kerberos authentication to work between a FreeBSD host and a Linux host. I'm using the latest 6- STABLE code on the FreeBSD box, I've got forwardable Kerberos tokens (verified with "klist -f") and Kerberos and ssh are working fine in all other ways, but I can't get the Linux box to accept the Kerberos ticket as

FreeBSD has both <gssapi.h> and <gssapi/gssapi.h>, but the former is a wrapper that prints a warning before including the latter. This is a problem when building with -Werror. This patch reverses the order of preference so <gssapi/gssapi.h> wins over <gssapi.h>. Index: ssh-gss.h =================================================================== --- ssh-gss.h (revision

https://bugzilla.mindrot.org/show_bug.cgi?id=2456 Bug ID: 2456 Summary: gssapi-keyex blocked by PermitRootLogin=without-password Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd