similar to: Samba-generated keytab fails with kinit

Dear all, this is using debian stretch and Louis' 4.8.11 packages. I am trying to export a keytab, and even for a UPN, samba does not export the AES keys. What could be the mistake? root at dc2:~# net ads enctypes list dns-dc2 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I am working with integrating various Linux distros as domain members with an Active Directory Domain running on Windows Server 2008 R2 native. The Domain admins have allowed des keys for backwards (nfs) compatibility, but prefers the default enctypes supported in 2008 r2: http://support.microsoft.com/kb/977321 * AES256-CTS-HMAC-SHA1-96

Hai, Thats a strange one.. > This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) Try this first. sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian via samba > Verzonden: maandag 29

Luis, ok I'v removed everything, step 1: KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab CREATE -P klist -ke /etc/krb5.keytab2|grep 7|sort 7 cifs/FS-A at DOM.CORP (aes128-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (aes256-cts-hmac-sha1-96) 7 cifs/FS-A at DOM.CORP (arcfour-hmac) 7 cifs/FS-A at DOM.CORP (des-cbc-crc) 7 cifs/FS-A at DOM.CORP (des-cbc-md5) 7

Hai, Nope.. To much again ;-) This is one step to much: step2: # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba.dom.corp at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba at DOM.CORP # KRB5_KTNAME=FILE:/etc/krb5.keytab2 net ads keytab ADD cifs/oldsamba$@DOM.CORP And why are you adding @REALM .. Do it exactly as shown below. Because

Am 29.04.2019 um 12:55 schrieb L.P.H. van Belle via samba: > Hai, > > Thats a strange one.. > >> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > Try this first. > sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2 Same result. Cheers, Christian > > > Greetz, > > Louis > >>

Luis, my typos, I'v to mask the output sorry (compliance) # su - testuser $ smbclient --option='client min protocol=NT1' -U testuser //oldsamba/testuser -c 'ls' Unable to initialize messaging context Enter DOM\testuser's password: session setup failed: NT_STATUS_LOGON_FAILURE [2019/11/05 15:50:50.009481, 1] ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)

samba-tool computer remove oldsamba Il giorno mar 5 nov 2019 alle ore 17:04 L.P.H. van Belle <belle at bazuin.nl> ha scritto: > Hai, > > Well that great you found it. > > Ah.. so you removed the entry from the DNS or ADDB? > Can you tell what you exactly did, that might help the next person with a > problem like this. > > And not many list messages today.. ;-)

Hai,   I noticed something strange in the keytab file on my member server. This is a followup of : [Samba] winbind question. (challenge/response password authentication) Samba 4.5.3 on Debian Jessie.   Leave the domain. net ads leave -k Deleted account for 'PROXY2' in realm 'REALM'   I checked in windows, and the computer is gone in the “Computer” ou.   Removed the

hi, ? i have recently installed a samba 4 in a DC role. The distribution is a debian jessie/sid, the version of samba is 4.1.7. The server is globally working but there is some litle trouble. on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following ? root at station:/var/log/samba# kinit Password for administrator at TOTO.FR: root at

any ideas ? please i got stuck and have no ideas what else i can do pozdrawiam Łukasz Sellmann 2017-02-01 17:50 GMT+01:00 Łukasz Sellmann <bravo.galaxy at gmail.com>: > Can someone help me with samba4 with internal dns. Something strange > showing in log.smbd when computers are doing gpupdate (becouse of this > error computers cant apply gpo) > > log.smbd on DC1: >

yes, permissions are set as default by apt package instalator > ls -al > -rw------- 1 root root 1082 sty 13 23:25 secrets.keytab samba,smbd deamons have run as root user > > log.smbd on DC1: > > > > [2017/01/13 13:49:16.075361, > > 1] ../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update) > > GSS server Update(krb5)(1) Update failed:

On Fri, 3 Feb 2017 16:00:45 +0100 Łukasz Sellmann via samba <samba at lists.samba.org> wrote: > any ideas ? please i got stuck and have no ideas what else i can do > > > pozdrawiam > > Łukasz Sellmann > > 2017-02-01 17:50 GMT+01:00 Łukasz Sellmann <bravo.galaxy at gmail.com>: > > > Can someone help me with samba4 with internal dns. Something

Achim Gottinger via samba wrote on 9/16/16 1:43 PM: > > > Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: >> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>> >>> >>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>> Michael A Weber via samba <samba at

Am 16.09.2016 um 22:43 schrieb Achim Gottinger via samba: > > > Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: >> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>> >>> >>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>> Michael A Weber via samba <samba at

On Fri, 16 Sep 2016 22:43:42 +0200 Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: > > Achim Gottinger via samba wrote on 9/15/16 1:20 AM: > >> > >> > >> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: > >>> On Wed, 14 Sep 2016 16:23:27 -0500 >

Can someone help me with samba4 with internal dns. Something strange showing in log.smbd when computers are doing gpupdate (becouse of this error computers cant apply gpo) log.smbd on DC1: [2017/01/13 13:49:16.075361, 1] ../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find

On Fri, 16 Sep 2016 23:02:20 +0200 Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > Am 16.09.2016 um 22:49 schrieb Rowland Penny via samba: > > On Fri, 16 Sep 2016 22:43:42 +0200 > > Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > >> > >> Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: >

Hm instresting way. Whats the difference in createing the HTTP/spn with net ads or samba tool ( besides de found bug ) I'll go try this out. You remember the "squid" spn/upn problem, this solved it also. The squid kerberos group plugin now correctly detects the HTTP spn. Thanks for trying out. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba

Rowland Penny via samba wrote on 9/16/16 1:43 PM: > On Fri, 16 Sep 2016 13:00:52 -0700 > Robert Moulton via samba <samba at lists.samba.org> wrote: > >> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>> >>> >>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>> Michael A