similar to: Change of kerberos encryption from DES to AES

I want to (continue to) use Samba code to obtain data needed by my Linux client. This is currently done by calls into Samba's libraries. Unfortunately the resulting rpc traffic is unencrypted. I think this has to do with the configuration of encryption mechanisms on both sides, but perhaps (since when talking to older Windows systems, e.g. Windows 2000) encryption (with NTLM SSP I

Dear all, I have a SUN server running as ClearCase view-server and am using Samba for Interop. Today I updated Samba from 3.0.21c to 3.0.24 and now I cannot mount/start my views from windows!! MVFS error log on my windows client gives "{8 pid/tid 49800000c58/85fdf178} MvfsFsNotification: Unsupported filesystem type (6)" Samba logs don't show any error... Trying other

Hi, I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: # kinit testuser1 testuser1 at S4DOM.TEST's Password: # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Ticket etype: arcfour-hmac-md5, kvno 1 I can create keytabs containing

Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at

Hi, When I run 'samba-tool domain exportkeytab', I found the exported keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that modify /etc/krb5.conf no help. My DC running with samba 4.1.13, and the server role is active directory domain controller. Thanks, Dongsheng

On Sun, Dec 28, 2014 at 2:29 PM, Andrew Bartlett <abartlet at samba.org> wrote: > On Mon, 2014-12-22 at 16:34 +0800, Dongsheng Song wrote: >> Hi, >> >> When I run 'samba-tool domain exportkeytab', I found the exported >> keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96, >> aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems

Hi, I set up samba on ubuntu 18.04 and join the windows AD (windows server 2016), it works fine. But when a windows client (windows server 2012R2) which only allows kerberos enctypt AES tries the access the samba server, windows AD report a kerberos error KRB5KDC_ERR_ETYPE_NOSUPP. The 'net ads enctypes list' command report the samba server support all the enctypes. 'dks4$' uses

On 08/19/2015 12:02 AM, Ritter, Marcel (RRZE) wrote: > Hi Trever, > > things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: > > root at ubuntu1:~# kinit user09999 > user09999 at S4DOM.TEST's Password: > root at ubuntu1:~# klist -v > Credentials cache: FILE:/tmp/krb5cc_0 >

I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.) I am trying to join a Solaris 11 machine to the domain for both Samba and other services. For "unix" logins and ssh, Solaris 11 is configured to use LDAP for user and group lookup and kerberos for authentication. The "kclient -T ms_ad" command joins the Solaris machine to the AD domain. It even

No, no idee, but really, upgrade to samba, best option, in my opinion. If thats not possible, it happens.. A timeout option can be set in krb5.conf for example : kdc_timeout = 5000 You have these for krb5.conf to try out also. the complete list. des-hmac-sha1 DES with HMAC/sha1 (weak) aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC

Hai, You may need to add the the following in krb5.conf [libdefaults] allow_weak_crypto = true ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96

On 08/18/2015 02:28 PM, Ritter, Marcel (RRZE) wrote: > Hi, > > I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: > > # kinit testuser1 > testuser1 at S4DOM.TEST's Password: > > # klist -v > Credentials cache:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm trying to access a Samba 3.0 server (running on Debian unstable) in an Active Directory environment. I successfully joined the domain, klist shows my Kerberos ticket(s) and I can use smbclient -k to access a Windows 2000 server. However, when I try to access a share on the Samba machine from a Windows 2000 client, I'm being asked

Hi, Some users can't logon to their workstation if the session is negotiating with samba domain controller, the password is requested again and again. Samba is joined as a Domain Controller in a windows domain controllers. The users' s computers are joined also to the domain. But for some users the kerberos ticket is failing. Samba version 4.1.15 - Debian 7.8 Samba debug logs, level 3:

I was used to integrate some linux client in my samba network mounting homes with 'unix extensions = yes', and works as expected, at least with some old lubuntu derivatives. Client side i use 'pam_mount'. Now i'm working on a ubuntu mate derivative, and i've not found a way to start the session properly in CIFS. If i create a plain local home (pam_mkhome), session start as

Hi all. I?m trying to understand a weird authentication failure: I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, with a bidirectional forest trust. The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is running a recent build from git master (f38077ea5ee). When I test authentication of users in each domain by running ntlm_auth on the samba server,

Thank you for that, i did have a good look at that one. And i use Debian 9, if you test what i posted below in the thread, you will see NFSv4 works fine. Below is missing one more thing, the "allow to delegate (kerberos only) " on the computer object in the AD, should be enabled. And yes, i've see bugchecks also but only on my debian .. Lenny.. Stt.. ;-) .. Its my last lenny

Here's the keytab info: ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12

Hi samba list, I work on an classicupgrade of our NT4/ldap domain. On my tests (DC and filer are on FreeBSD and zfs file system, client is a Windows 10 22H2): -> I'm able to do this classicupgrade and keep all users able to connect on computers with their domain account. -> In a second step I configure samba DC to improve security and by the way I upgrade our FL to 2012_R2, schema

Ok after installing libpam-winbind etc I had someone try to connect from a MacOS and they got: [2023/04/13 15:50:50.002773,? 1] ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac) ? auth3_generate_session_info_pac: Unexpected PAC for [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE [2023/04/13 15:50:50.002891,? 3]