similar to: keytab vs. winbind

On 06/08/2020 18:18, Isaac Stone via samba wrote: > Hello. I am trying to clarify in my mind how winbind, pam and kerberos all > work. I am hoping to get some knowledge to help debug and ensure our samba > server keeps it's domain membership in the most robust way possible. > > Background: We are using a samba server to serve a filesystem to windows > users. A group policy on

Thanks for your quick replies Yes, we are using a ctdb setup, and having the same netbios name was something I understood as necessary there. Thanks for confirming To clarify, currently we are not fetching any kerberos tickets for any reason on the samba server. We are not using `kinit` explicitly anywhere and everything seems to be working. In a previous setup we were calling it because I

Hello. I am trying to clarify in my mind how winbind, pam and kerberos all work. I am hoping to get some knowledge to help debug and ensure our samba server keeps it's domain membership in the most robust way possible. Background: We are using a samba server to serve a filesystem to windows users. A group policy on the machines will automatically mount the filesystem. Samba and all the

Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf

On 18/02/2020 19:14, Johan Hattne via samba wrote: > Dear all; > > Is it possible to refresh the machine password in an AD setup while > also using a keytab for verifying secrets?? As far as I can see > machine password updates (as controlled by "machine password timeout") > are disabled when a keytab is in use (in particular, when "kerberos > method =

Dear all; Is it possible to refresh the machine password in an AD setup while also using a keytab for verifying secrets? As far as I can see machine password updates (as controlled by "machine password timeout") are disabled when a keytab is in use (in particular, when "kerberos method = secrets and keytab"), but without an up-to-date keytab e.g. single sign-on with SSH

Hello, I have been working diligently since my last post to solve the error I've been receiving. I did manage to fix the credentials problem, but now I am at the same point where many others are, mainly, when doing hostname mapping (net use X: \\foo\bar), Samba prompts for a username and password and does not use Kerberos. In my error logs: [2004/01/05 15:51:59, 10]

On 31/12/14 15:48, Alessandro Briosi wrote: > Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>>> OK, you can get winbind to update your keytab, you need to alter your >>>> smb.conf slightly. You need to change 'kerberos method = secrets only' >>>> to either 'kerberos method = secrets and keytab' or 'kerberos method = >>>>

Hello, We're currently binding hosts to a Windows 2000 domain through a third-party product (that also supports Kerberos/NFSv4) but we also have a need to have other hosts grab their credentials from a Windows KDC for NFSv4 access. While we don't intend to bind these systems to AD, we do have the requirement to pull their SPNs from AD and place them in /etc/krb5.keytab. Note that

Hi Rowland, this posting ended a lot of grief I had with expired keytabs. While this is presumably an issue of sssd, I have no chance to attack the issue right at its root*). But rejoining the domain with the lines dedicated keytab file = /etc/krb5.memberserver.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes seems to fix it. Phew... Maybe You or someone

I am working on trying to set up Solaris 11 and Linux clients as Samba domain members with a Win 2008 AD domain controller/directory server. I am also trying to configure Kerberos for unix level authentication. I am unclear if Samba can create a keytab file or only use a previously created on. With solaris, there is "kclient" command that creates the machine account on the

Rowland Perry wrote: > >/imdap config AD : backend = rid /> >/ > /> How did you 'fix' this, on face value, there is nothing wrong with that line. "imdap" is not "idmap" (so now you understand why I missed it after staring at it so long :-) > When you join the domain with 'kerberos method = secrets and keytab', > you should get a

On 04/07/16 00:34, Mark Foley wrote: > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > patience in working this through with me. Although my purpose was for Dovecot to authenticate > mail clients, the configuration settings needed were on the

Hi all, I compiled samba-3.2.0 on a brand new machine and when i try to join the domain, i get the following result: bash-3.00# net ads join -U administrator Enter administrator's password: Failed to join domain: failed to create kerberos keytab A keytab file is created as /etc/krb5.keytab as it should be It does not seem to depend on the version of kerberos samba was linked against, i

Hai, > > Change this one. > > /etc/hosts > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba # Old/wrong > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba # > new/correct > > Or > > 10.0.0.2 fs-a.dom.corp fs-a oldsamba.dom.corp # new/correct > No, none of them are correct No, Rowland, your really wrong here. ( i dont say that often.. ) :-p But i give

Hi, I have a couple of old samba 3.0.30 installations. I enabled the "use kerberos keytab" option in the smb.conf file to aquire a tgt automatically when a user logs in. This works fine on 3.0.30 installs. On newer samba versions I recognized that the option has been phased out and replaced by a newer option called "kerberos method" the man page is not really clear about what

On 31/03/16 10:04, Service Informatique IF wrote: > Hi, > > I'm trying to use wildcard in keytab because i don't want join every > computer, client for service NFS krb5. > > I add a spn like this > > # samba-tool spn add host/* nfs > > (I create user nfs before) > > # samba-tool spn list nfs > nfs > User CN=nfs,CN=Users,DC=if,DC=ujf-grenoble,DC=fr

Am 04.07.2016 um 01:34 schrieb Mark Foley: > After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with > Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his > patience in working this through with me. Although my purpose was for Dovecot to authenticate > mail clients, the configuration settings needed were on

Try it like : http/%s at DOMAIN.COM not http/*@DOMAIN.COM Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Service > Informatique IF > Verzonden: donderdag 31 maart 2016 11:04 > Aan: samba at lists.samba.org > CC: ifinfo at ujf-grenoble.fr > Onderwerp: [Samba] NFSv4 / Krb / wildcard in keytab > > Hi,

Hi Andreas, I convinced Rowland to change the wiki like that. You might want to check out the thread "Samba4 and sssd, keytab file expires?". Read it, and You will understand its implications. Even if it works now, it doesn't mean that it will work for long... The first thing I would check is the kerberos setup. I would also check, whether DNS is OK for both forward and