similar to: Samba kerberos authentication issues with samba 3.0.7

Good Morning, We have a network of Solaris 10 machines authenticating and doing name lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and self/gssapi credentials. Each machine has a machine account that is prepared via a script with the following attributes: userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)

On 18/07/16 22:31, Norbert Hanke wrote: > On 18.07.2016 22:48, Achim Gottinger wrote: >> >> >> Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >>> On 18.07.2016 01:52, Achim Gottinger wrote: >>>> >>>> >>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>>> Hello, >>>>> >>>>> I'm trying

On 18.07.2016 22:48, Achim Gottinger wrote: > > > Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >> On 18.07.2016 01:52, Achim Gottinger wrote: >>> >>> >>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>> Hello, >>>> >>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>>> both with

Hi list, we have a forest trust of two domains. One domain in US (us.root.prv) running exclusively on Windows 2012 R2 and one in EU (spreadshirt.private) running exclusively Sernet Samba 4.8.2-11. Both domains run functional level "2008 R2". The trust validates successful using "samba-tool domain trust validate" and in "Domains and trusts". My problem is: I

Am 18.07.2016 um 11:45 schrieb Norbert Hanke: > On 18.07.2016 01:52, Achim Gottinger wrote: >> >> >> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>> Hello, >>> >>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >>> 9.10.4-P1, all brand

Samba expects the keytab file as /etc/krb5.keytab. Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab When samba joins the domain it (probably) updates the machine password and then updates its krb5.keytab file. When connecting via ssh, the system would use a keytab file that had the wrong kvno and probably the wrong password key. The following symlink command fixed ssh

I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.) I am trying to join a Solaris 11 machine to the domain for both Samba and other services. For "unix" logins and ssh, Solaris 11 is configured to use LDAP for user and group lookup and kerberos for authentication. The "kclient -T ms_ad" command joins the Solaris machine to the AD domain. It even

Just to update this, I'm going to upgrade to samba4 but it won't be for a few days yet, I'll keep this thread updated with what happens. On 10 Nov 2017 11:23, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > No, no idee, but really, upgrade to samba, best option, in my opinion. > If thats not possible, it happens.. > > A timeout option can

Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7

Hai, Nope.. To much again ;-) This is one step to much: step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP And why are you adding @REALM .. Do it exactly as shown below. Because

Luis, my typos, I'v to mask the output sorry (compliance) # su - testuser $ smbclient --option='client min protocol=NT1' -U testuser //oldsamba/testuser -c 'ls' Unable to initialize messaging context Enter DOM\testuser's password: session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 15:50:50.009481, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)

samba-tool computer remove oldsamba Il giorno mar 5 nov 2019 alle ore 17:04 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > Hai, > > Well that great you found it. > > Ah.. so you removed the entry from the DNS or ADDB? > Can you tell what you exactly did, that might help the next person with a > problem like this. > > And not many list messages today.. ;-)

On Tue, 26 Feb 2019 16:37:39 +0100 David Jehin <bedou210977 at gmail.com> wrote: > THANK YOU FOR YOUR REPLY > > THE RESULT : > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 HOST/samba4 at FSS.LAN (des-cbc-crc) > 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc) > 1 SAMBA4$@FSS.LAN (des-cbc-crc) >

Hai,   I noticed something strange in the keytab file on my member server. This is a followup of : [Samba] winbind question. (challenge/response password authentication) Samba 4.5.3 on Debian Jessie.   Leave the domain. net ads leave -k Deleted account for 'PROXY2' in realm 'REALM'   I checked in windows, and the computer is gone in the “Computer” ou.   Removed the

compiled samba version : 4.8.5 and my distribution is: debian stretch 9.6 I said that when I join the domain, restarting the machine takes the GPO, the other restart does not take the gpo computer. Thanks for your help Le mar. 26 févr. 2019 à 17:11, Rowland Penny via samba < samba at lists.samba.org> a écrit : > On Tue, 26 Feb 2019 16:37:39 +0100 > David Jehin <bedou210977 at

THANK YOU FOR YOUR REPLY THE RESULT : KVNO Principal ---- -------------------------------------------------------------------------- 1 HOST/samba4 at FSS.LAN (des-cbc-crc) 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc) 1 SAMBA4$@FSS.LAN (des-cbc-crc) 1 HOST/samba4 at FSS.LAN (des-cbc-md5) 1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5) 1 SAMBA4$@FSS.LAN (des-cbc-md5) 1

No, no idee, but really, upgrade to samba, best option, in my opinion. If thats not possible, it happens.. A timeout option can be set in krb5.conf for example : kdc_timeout = 5000 You have these for krb5.conf to try out also. the complete list. des-hmac-sha1 DES with HMAC/sha1 (weak) aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC

After reviewing logs I found that my previous assumption was wrong. Situation: - i'm trying to start live migration from hyper-v host A (BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as user from DOMAIN ADMINS group). Kerberos constrained delegation is set in accordnance to microsoft instructions with proper SPN's set (well, proper as in with the workaround I

Am 30.06.2018 um 21:37 schrieb Rowland Penny via samba: > On Sat, 30 Jun 2018 21:02:57 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> >> additional: >> >> the krb5.conf from the former admin, I assume it could or should be >> boiled down: >> # cat /etc/krb5.conf > > The standard one for Samba is

On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote: >> Here is what the logs show WITHOUT the -d option: >> >> Jan 11 10:00:36 dc01 dhcpd[1704]: Commit: IP: 172.20.10.165 DHCID: >> 1:d4:be:d9:22:9f:7d Name: mgmt01 Jan 11 10:00:36