similar to: samba + kerberos

** I truncate my initial mail below for size reason ** I've tried your tips but nothing better.... AD users can still accessing share (ouf !!), but local users not more. I can't find where it blocks.... Thanks for your help Louis, Greetz, Bruno Le 02/08/2016 à 15:33, L.P.H. van Belle a écrit : > > You keep 2 ranges. > > One for the “local (linux) users” > >

Hai, I had it the other way around. Only root acces. I have scripted my setup and tested on debian. Look here https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ setup-nfsv4-kerberos.sh If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. If you can read the bash script maybe you see something you missed. When i write as "root" its root and

Ok, now its clear to me. We need to set UMICH_SCHEMA in idmap.conf Read : http://linux.die.net/man/5/idmapd.conf Working on it now. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 9 oktober 2015 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos

I suspect I might be grossly misunderstanding kerberos and AD here, but I cant seem to grok the following. net ads join integrates my linux samba server (named foundry) into an AD domain and all works fine. The samba server is using the kerberos keytab. root@foundry:~ # kinit -k -t /etc/krb5.keytab foundry$ root@foundry:~ # kinit -k -t /etc/krb5.keytab host/foundry.example.local kinit(v5):

Hai Mourik-Jan, I think you missing your ptr record in the reverse zone. Or you missing the Krb5KeyTab variable in the apache setup. Test : dig keycloak.company.com ( results in A ip. ) dig -x ip_adres https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at

Hi Rowland, I tried that. As follows: [root at machinename mnt]# kinit -k MACHINENAME$ [root at machinename mnt]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: MACHINENAME$@CAMPUS Valid starting Expires Service principal 02/28/2024 11:50:55 02/28/2024 21:50:55 krbtgt/CAMPUS at CAMPUS renew until 02/29/2024 11:50:55 [root at machinename mnt]# mount -t cifs

Dear Rowland of course, if the network is unreachable, this is also a problem for autofs. However, when a CIFS share is in the fstab and the network is unreachable, you cannot boot, as it waits forever to mount all your fstab entries, whereas with autofs, you can still boot, as there is nothing really mounted yet. I show you below my configurations of the server and client machines. On the

Thanks you very much Louis ! I have tried your setup and I can't mount the share neither from the server itself or the client. On /var/log/syslog I have : rpc.gssd : ERROR : no credentials found for connecting to server myserver This is because the machine principal is not present in the keytab : $ klist -k 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM 1

Hi, Sorry for this necrobump.... But I'm still can't use my local root user to browse content of my NFSv4/Krb5 share...... (others permission are checked when root use this share) So a lot of questions appeared during my tests : - Must i have same idmap.conf on both client and server ? - Why rpc.idmapd only use 'nsswitch' method even if 'static' is

Hi, Can someone point out what I am doing wrong here? Background: I'm trying to make keycloak (saml) authenticate using kerberos, and I'm getting "client not found in kerberos database". Below are the steps I have taken. I'm using a domain member servers machine account (server$) to add the SPN, since keycloak is running on that member server. (for the record: the

Hai, Here you go.. But all my settings are scripted. https://github.com/thctlo/samba4 found here. Read the script : samba-with-nfsv4.sh Start it like ./ samba-with-nfsv4.sh (client or server) Its tested and works on debian jessie. I contains the nfs server settings and client settings. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at

Does it work if you test like this. kinit testuser at EXAMPLE.COM mount -t cifs -o sec=krb5 //server.example.com/export /mnt/cifs Have a look here : https://runops.wordpress.com/2015/03/05/setup-linux-cifs-autofs-automount-using-kerberos-authentication/ I cant tell much about automount, i use it but through systemd for my nfsv4 mounts. Greetz, Louis > -----Oorspronkelijk

Rowland Perry wrote: > >/imdap config AD : backend = rid /> >/ > /> How did you 'fix' this, on face value, there is nothing wrong with that line. "imdap" is not "idmap" (so now you understand why I missed it after staring at it so long :-) > When you join the domain with 'kerberos method = secrets and keytab', > you should get a

Thank you for that, i did have a good look at that one. And i use Debian 9, if you test what i posted below in the thread, you will see NFSv4 works fine. Below is missing one more thing, the "allow to delegate (kerberos only) " on the computer object in the AD, should be enabled. And yes, i've see bugchecks also but only on my debian .. Lenny.. Stt.. ;-) .. Its my last lenny

Ah ok, you are using "public_html" from a default setup. Now i understand what you exact want. If you have the apache keytab created. Create a cron job and run : kinit -t /path/to/keytab as the www user. Dont forget het disable the password change in the AD user for the "apache Service user" account. You probely also need to export some kerberos variables like :

On 01/09/15 21:59, Quirin Maier wrote: > Hi, > > I'd like to use ldbadd with kerberos authentication using samba > 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being > processed. Executing... > > kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab > > root at dc01:/# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default

Hi, I'm running a mixed linux/Windows network with authentication done using Active Directory. The Linux clients use Samba/Winbind for authentication (with help from the list, thanks!). I've setup smb.conf such that doing 'net ads join -Uadministrator' populates my /etc/krb5.keytab (see configuration files below). klist shows me a nice set of principals from /etc/krb5.keytab

Hello samba team ! I have some NFS4 exports managed by a Samba's Kerberos realm. All the standard user accesses work fine. I try now to setup an NFS4 root access to administer the share from another server (the two host are DC, one PDC and one SDC). But I have trouble understanding the kerberos/principals layer. ------------ Actually I do ------------- -> on the server I create an nfs

Hi All. I have a problem with authorization users AD via kerberos in Dovecot&Postfix. Windows SRV 2008 Standart - AD mail server: Gentoo + cyrus-sasl + postfix + dovecot with support ldap&kerberos. I am created a 4 keytabs on Windows box. C:\Users\Admin>ktpass -princ host/srv-mail.cn.energy at CN.ENERGY -mapuser ldapmail at CN.ENERGY -pass "superpasswd" -crypto RC4-HMAC-NT

I finally found it, thanks to a clue from https://wiki.archlinux.org/index.php/Active_Directory_Integration This works: kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$' These don't work: kinit -k -t /etc/krb5.keytab kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net kinit -k -t /etc/krb5.keytab host/wrn-radtest That is: the keytab contains three different principals: root