similar to: AD and ticket

As I learned from former threads, "net ads join" should not only join the Samba server to ADS, but also create Kerberos 5 credentials on the Linux box running Samba 3.0. Well, thanks Jerry joining the Samba 3.0 to ADS works now, but I won't get any Kerberos 5 credentials. winbindd throws errors because of missing Kerberos credentials. Kerberos 5 support is copiled into my samba

Hiya, as I was not capable of getting only close to join the RC1 of Samba 3.0 to my ADS realm, I downgraded to the Redhat 9.0 rpm version of Samba 3.0 Beta 3 from download.samba.org. With this package I get a lot closer to a "working solution". Anyway, Kerberos is not working as supposed during the "net ads join" process which should leave a bunch of Kerberos credentials in

I've got samba-3.0.0-14.3E, and am trying to connect to a Windows 2000 domain using security = ADS After following the instructions in the Samba-HOWTO-Collection, I've got kinit working, and am able to browse the Windows 2000 machines shares with smbclient //win2kmixed/c\$ -k without a password. However, if I try to connect to the machine, either through network neighborhood or with (on

I've got samba-3.0.0-beta3-rc1 running, and am trying to connect to a Windows 2000 domain using security = ADS After following the instructions in the Samba-HOWTO-Collection, I've got kinit working, and am able to browse the Windows 2000 machines shares with smbclient //win2kmixed/c\$ -k without a password. However, if I try to connect to the machine, either through network neighborhood

Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at

I am running samba 3.0.23d on Gentoo. I have a particularly problematic server that is a domain member of our AD domain. After joining the domain, shares are available and user credentials work just fine. Then, suddenly for no apparent reason, it stops working. And, then again, just as quickly as the problem starts, it goes away. I have looked at this thing as many ways as I can possibly

hi, now after 10 hours my samba has the next crash and need to restart winbind. Here are the list/kinit: # before kinit pl0024:~# klist klist: Credentials cache file '/tmp/krb5cc_0' not found pl0024:~# kinit Administrator Password for Administrator at HQ.KONTRAST: pl0024:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at HQ.KONTRAST Valid starting

Hi Paul, I think -U is just ignored when -k and a valid ticket is available. Here you have a valid ticket, you use -k to ask smbclient to use credentials from that ticket, and you add -U for another user. Please try same smbclient command without -k, it should ask you the password for test123 user. That's not a bug, for me it is a lack of documentation on how to use -k switches with almost

Hi Samba community, Here is a problem I could not solve. I would like to mount a cifs share to my local Linux machine, which is bound to a windows domain using winbind. The share needs to be mounted by the linux machine's computer account. Here is what I do: # su - DOMAIN\\computer$ [DOMAIN\computercomputer ~]$ <<< i think there is a problem with the bash prompt, skip it for now

Hi everyone, I'm using the production release of 3.0.0 and can not join a W2003 domain: [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191) got principal=adc1$@WIN.DESY.DE [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found)

Village idiot here again. Thank you for your replies. Really. As for the acl_xattr.so: I was trying a new 'out of the box' install. I have done the whole download source/compile/provision bit on a Mint 17.1 and I am getting much farther.Now I get 'cannot find kdc for realm "ozco.home" while getting initial credentials" when I try kinit. About Kerberos. You advised me

Have succesfully installed and configured samba on BSD up to the point of joining the active directory domain. The command <net ads join -Uadministrator> returned a message saying that i had "sucessfully joined the domain" and a quick review of my ADDC shows that my samba server has sucessfully joined and created an object in AD. The command <wbinfo -u> returns a list

Hi Rowland, i have tested unjion and join again the member. But that looks not better :/. Any ideas? Best wishes OLIVER WERNER Systemadministrator > Am 23.09.2016 um 14:38 schrieb Oliver Werner via samba <samba at lists.samba.org>: > > Yes the file /etc/krb5.keytab is exists. > > You mean this lines? > > dedicated keytab file = /etc/krb5.keytab >

Hi, I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: # kinit testuser1 testuser1 at S4DOM.TEST's Password: # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Ticket etype: arcfour-hmac-md5, kvno 1 I can create keytabs containing

Hi, after compiling the samba4 4.0.3 (latest) source. I'm trying to join an existing W2k3/8 Domain but get the following. root at server:~# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) root at server:~# kinit admin Password for admin at CITY.DOMAIN.ORG: root at server:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at CITY.DOMAIN.ORG Valid

Hi Rowland yes sure I know who user '0' is ;-) so where should the ticket be then? I just rebooted the PC and logged in via SSH as root. There is no ticket for the machine :-( even though, the Active Directory join seems to be OK, as "net ads testjoin" says so. I am still a bit lost on how I should proceed. To have this all working more or less, I just mounted the shares with

Thanks. That worked. :) However, I see the krb5cc file only if I login to ssh using the password. If I use ssh private keys to login, I do not see this file being generated. I guess this is because it doesn't use krb5 authentication with the AD server in that case. This is not a major bottleneck, but wanted to understand the scenario. Regards, Shyam On Wed, Apr 1, 2020 at 5:05 PM Alexander

On 03/07/2020 12:35, Stefan Just via samba wrote: > A kinit needs the user's password if the Kerberos ticket maximum > renewable lifetime has been exceeded. This is simply not possible > because users cannot be online for weeks. Where did you get the idea that you need the password from ? If a user logs in and PAM is set up correctly on a Unix domain member, the user should get a

Hello everyone, I'm sorry for this long post, but I think there is a real understanding problem for many people on ADS domain membership. I'm not the first to post about this type of problem, however I didn't find an answer to it in the archives and I followed the HOWTO-collection. Well, this is what I'm doing : I am using samba-3.0.1 compiled from source, MIT kerberos 1.3.1

I would like to set the renewable lifetime to 90 days. What is the best way to set the Kerberos ticket maximum renewable lifetime. ~# smbd --version Version 4.12.2-Ubuntu ~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at MYDOM Valid starting Expires Service principal 07/02/20 18:08:16 07/03/20 04:08:16 krbtgt/MYDOM at MYDOM renew until 07/03/20