Displaying 20 results from an estimated 6000 matches similar to: "How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]"
2012 Jul 09
2
How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi,
I am doing some kerberos testing with samba4 using ssh. I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI. The client
krb5.conf contains this:
=====================================================
[libdefaults]
2012 Jul 12
2
nslcd service - "Client not found in Kerberos database"
Hi,
I am trying to configure the nslcd service on an Ubuntu client for kerberos
authentication against samba4. My /etc/nslcd.conf contains the following:
uid nslcd
gid nslcd
uri ldapi:///cofil01.mydomain.net
base dc=mydomain,dc=net
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/host.tkt
I have added the host principal "host/ubuntu-test.mydomain.net @
MYDOMAIN.NET" to /etc/krb5.keytab on both
2012 Jul 12
8
Linux SSO with samba4?
Hi,
I think it is great that samba4 has a single sign on solution for Windows
platforms and it seems to work well too, but I am wondering is it possible
to do the same for a Linux environment? I have been studying how to
implement single sign on using the Ubuntu way through this document:
https://help.ubuntu.com/community/SingleSignOn and I am wondering if I can
do the same with samba4 where the
2012 Jul 09
2
How do I join a samba 3 client to a samba 4 AD server?
Hi,
I have set up a standard samba4 server via
http://wiki.samba.org/index.php/Samba4/HOWTO and have tested that windows
machines can join the samba4 AD.
Now I am trying to join an Ubuntu machine to the same samba4 ad but it is
failing for me with the following message:
# net ADS JOIN -U Administrator
Enter Administrator's password:
Failed to join domain: failed to lookup DC info for domain
2012 Jul 13
1
Understanding kerberos principals in samba4
Hi,
When I have a service on a client that tries to use kerberos and I get
errors such as these in the log.samba file:
Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb
Does this mean that the kerberos authentication system is looking for the
principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
or in the
2008 Oct 14
1
GSSAPI Key Exchange on multi-homed host
>From a security standpoint, if the default keytab (/etc/krb5.keytab)
contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck
is set to "yes" or "no"?
My company uses an internally built OpenSSH package that includes the
GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use
a "standard" sshd_config file that works for the
2006 Aug 18
1
[Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts
http://bugzilla.mindrot.org/show_bug.cgi?id=928
simon at sxw.org.uk changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simon at sxw.org.uk
------- Comment #2 from simon at sxw.org.uk 2006-08-19 08:31 -------
I'd rather see us move towards just using
2012 Jul 11
1
splitting services in samba4
Question: Right now samba4 is great as in all-in-one solution (samba,
kerberos, ldap, dns) into one service.
Is it possible to split it up so that for example, I run openldap on one
server, kerberos on another server, and then dns/samba on a third server?
br,
Quinn
2007 Nov 13
2
Enhanced Kerberos support
The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed
for multi-homed (or multi-domained) sites.
SSH recently added this enhancement to address this common need:
GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates
against. If ?yes? then the client must
2012 Jul 09
1
upgrade
Hello list, I need update my samba, I run firtly ./configure.developer,
and when I run make I get this message
123/3913] Compiling lib/replace/replace.c
In file included from ../lib/replace/replace.c:26:
../lib/replace/replace.h:112:24: error: bsd/string.h: No such file or
directory
../lib/replace/replace.h:116:24: error: bsd/unistd.h: No such file or
directory
Waf: Leaving directory
2005 Apr 19
1
Large files timeout
I am trying to download a 200MB ISO file and each time I attempt to do
so it will timeout after around 30 MB. I've used both a Microsoft and a
FreeBSD tftp client with the same results. When PXE booting a pc and
letting it download the ISO it either hangs halfway through or the ISO
appears to be corrupted when trying to boot to it from ramdisk. I am
looking for suggestions on how to
2020 Oct 02
5
Kerberos ticket lifetime
On 02/10/2020 13:24, Jason Keltz via samba wrote:
> Hi Louis,
>
> I had already done that at one point.
>
> My pam_winbind is already working.? I can SSH to the system, and I get
> a proper ticket.? My only issue is that it doesn't refresh the ticket
> before expiry when I ssh to a system.? I think I can script around
> that and just not rely on winbind to do it.
2014 May 25
2
Samba 4 / Kerberos / ssh
I try to get Samba 4 with ssh running.
I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line.
---
kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]" "[:upper:]"`\$
rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
---
when i understand correct he uses the domain controller service principle to connect to the
2018 Dec 12
1
[Solved] GSSAPI/Kerberos authenticate with Dovecot
So tell us what did >> You << correct ?
If you put it in the list mail everybody can enjoy from it ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> basti via samba
> Verzonden: woensdag 12 december 2018 16:44
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [Solved] GSSAPI/Kerberos
2018 Dec 12
1
[Solved] GSSAPI/Kerberos authenticate with Dovecot
OK, for now it seem to work.
Server: dovecot.my.fqdn.com
Security: STARTTLS
Auth: Kerberos/GSSAPI
Possible Problems:
- Keytabfile (samba-tool delegation show dovecot\$) ?
- IP as Servername
- SSL/TLS Port 993 ?
Maybe someone can complete the wiki with thunderbird settings?
P.S.
Roland kinit -V5 DOVECOTUSER at MY.FQDN.COM did also work
I use the samba wiki, dont know why only export 3
2006 Oct 02
0
GSSAPI Key Exchange for 4.4p1
Hi,
I'm pleased to be able to announce the availability of my GSSAPI Key
Exchange patch for OpenSSH 4.4p1.
This patch adds RFC4462 compatibility to OpenSSH, along with adding
additional GSSAPI support that is yet to make it into the main tree.
The patch implements:
*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key
exchange mechanisms. This can be enabled through the
2016 Jul 04
0
How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
Am 04.07.2016 um 01:34 schrieb Mark Foley:
> After a nearly 2-year struggle to get Dovecot to do either NTLM or GSSAPI authentication with
> Samba4 AD/DC, I believe I've finally got it! Infinite thanks to Achim Gottinger for his
> patience in working this through with me. Although my purpose was for Dovecot to authenticate
> mail clients, the configuration settings needed were on
2008 Apr 04
0
GSSAPI Key Exchange Patch for OpenSSH 5.0p1 (plus an added extra)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's that time again! There's been another OpenSSH release, and once
again, I'm pleased to announce the availability of my GSSAPI Key
Exchange patch for it.
Whilst OpenSSH contains support for GSSAPI user authentication, this
still relies upon SSH host keys to authenticate the server to the
user. For sites with a deployed Kerberos
2016 Nov 09
6
[Bug 2637] New: GSSAPIStrictAcceptorCheck should default to 'yes'
https://bugzilla.mindrot.org/show_bug.cgi?id=2637
Bug ID: 2637
Summary: GSSAPIStrictAcceptorCheck should default to 'yes'
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: minor
Priority: P5
Component: Kerberos support
Assignee:
2016 Jul 04
0
How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 04/07/16 21:21, Mark Foley wrote:
>> To: samba at lists.samba.org
>> From: Achim Gottinger <achim at ag-web.biz>
>> Date: Mon, 4 Jul 2016 09:29:02 +0200
>> Subject: Re: [Samba] How to GSSAPI/Kerberos authenticate with Dovecot
>>
>> Am 04.07.2016 um 01:34 schrieb Mark Foley:
>>> After a nearly 2-year struggle to get Dovecot to do either NTLM or