similar to: AD Kerberos and Dovecot

Solved : ) Reminder of the issue: Every services (CIFS, Kerberos, LDAP, DNS, RPC) on one DC were working well and ldapsearch using DN and password were also working. The only thing which was not working was ldapsearch using GSSAPI authentication with the following error: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic

More information, making me more crazy: - ldapsearch without SASL is working from any host: ldapsearch -D 'CN=user-ldapmodify,OU=OurUsers,DC=ad,DC=domain,dc=tld' -w Passw0rd -x -ZZ -b 'dc=ad,DC=domain,dc=tld' -h dc106 sAMAccountName=administrator dn - ldapsearch with SASL is not working (Kerberos ticket existing following a working kinit) from any host but it works when launched

Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase

Hi all, I've got on AD DC using Samba 4.4.3 on Centos7 which accept Kerberos connections (kinit is working), which accept ldapsearch with credentials but which refuse ldapsearch with GSSAPI. The issue does not seem to be coming from the client as I discovered this issue writing a script to test all 22 DC, and all 21 others DC are working well from that client. The error: SASL/GSSAPI

OK, I've got a little further and I think I have tracked this down to a reverse DNS issue - which was non-obvious to me, so here is a write-up for the benefit of the archives. The part that was failing was this: [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: dc1$ [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sasl_bind_send] (0x0080): Extended failure

Things goes further. To use GSSAPI and so the Kerberos ticket obtained with kinit I was missing "-Y GSSAPI". It seems GSSAPI and TLS are meant to be used together: ---------------------------------------- ldapsearch -Y GSSAPI -LLL -H ldaps://SAMBA.DOMAIN.TLD SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info:

ERRATUM: It seems GSSAPI and TLS are *NOT* meant to be used together: 2015-10-15 16:20 GMT+02:00 mathias dufresne <infractory at gmail.com>: > Things goes further. To use GSSAPI and so the Kerberos ticket obtained > with kinit I was missing "-Y GSSAPI". > > It seems GSSAPI and TLS are meant to be used together: > ---------------------------------------- >

Samba 4.0.0beta4, CentOS 6.3 (openldap 2.4.23-26.el6), samba-generated krb5.conf. I have joined a Linux client to the samba4 domain and extracted the kerberos5 keytab (using "kerberos method = system keytab"): # kinit Administrator (succeeds) # net ads join createupn=host/<client.fqdn>@REALM -k (succeeds) # net ads keytab create (succeeds) # net ads testjoin (is OK) #

L.P.H. van Belle wrote: > start with fixing the overlapping idmap config. > that wont help. I don't think they are overlapping: I used 100,000-999,999 for rid and 1,000,000 to 9,999,999 for autorid. > check again if host.fqdn a and ptr exists in the dns. # dig +short wrn-radtest.ad.example.net. a 192.168.5.83 # dig +short -x 192.168.5.83 wrn-radtest.ad.example.net. > check

On 2016-10-11 11:03, Aki Tuomi wrote: > On 11.10.2016 11:56, Juha Koho wrote: >> >> On 2016-10-11 10:00, Aki Tuomi wrote: >>> On 11.10.2016 10:43, Juha Koho wrote: >>>> >>>> On 2016-10-11 09:18, Aki Tuomi wrote: >>>>> On 11.10.2016 10:13, Juha Koho wrote: >>>>>> Hello, >>>>>>

Hi all, I'd like to perform some ldapsearch against my AD domain. And I'd like to be able to perform these ldapsearch using GSSAPI to avoid usage of password in scripts. DC are using default configuration file: ---------------------------------------- # Global parameters [global] workgroup = SAMBA.DOMAIN realm = SAMBA.DOMAIN.TLD netbios name = M707 server

On 10/10/2020 14:40, Philip Offermans wrote: > >>> >>> >>> >>> (The ip6 addresses are from docker) >> 'docker' ??? > https://www.docker.com?would recommend to check it out some time No, I should have expanded on that, what I meant was, is one or other of the DC or Unix domain member running in a docker container ? > > >> On 10

On 2016-10-11 10:00, Aki Tuomi wrote: > On 11.10.2016 10:43, Juha Koho wrote: >> >> On 2016-10-11 09:18, Aki Tuomi wrote: >>> On 11.10.2016 10:13, Juha Koho wrote: >>>> Hello, >>>> >>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying >>>> to >>>> set up a GSSAPI Kerberos authentication with

I am trying to use a keytab for a client machine to authenticate to Samba's own LDAP server. The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2 compiled from source. The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been joined directly to the Samba domain ("net ads join"). I have also extracted a keytab ("net ads keytab create -P")

Hi, I try to use nslcd with samba 4 for get suers and group for AD. if I do a ldapsearch, I have a message : Server not in kerberos database if I do a getent passwd, nslcd display same error message. log of samba4: [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ Administrator at CORMANDOM.INT-CORMAN.BE from

2017-07-31 17:41 GMT+02:00 Greg Dickie via samba <samba at lists.samba.org>: > Hey guys, > > Thanks for the ideas. I made life easier for myself and just replaced the > SunOS (illumos) implementation with real samba. That works very well so > we're all good. Is it just me or is kerberos complicated? > At first, no it is not you : ) But after a while (and thanks to

Hello Dear Members Please i have here the following error if i do the samba_dnsupdate --verbose the problem are that i can't join any new machine to me Samba AD machine. PLEASE ..... Thanks for any possible Help --- root at srvcar018:/etc# samba_dnsupdate tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not

I see nothing suspicious in FreeIPA slapd logs because connection drops before SASL negotiation completion. Network analysis shows client sending RST after receiving `bindResponse(7) saslBindInProgress`. On 8/15/19 3:07 PM, Aki Tuomi via dovecot wrote: > I suspect the problem is that dovecot tries to report LDAP error over GSSAPI. So the best fix is to make sure your LDAP server does not

That's right. GSS-API is not used anywhere else. Do you like to inspect my full configuration? I can dump connection session and send pcap file here. On August 15, 2019 7:27:20 AM GMT+03:00, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: >> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote: >> >> >> The next combination of

I'm trying to set up my ldap directory to use kerberos passwords. I have compiled openldap with --with-kpasswd, added the principal ldap/iceage.sg.org.br@SG.ORG.BR to kerberos. Also, I have prepared the user entries in LDAP with these fields (in addition to other ones): objectClass: krb5Principal krb5PrincipalName: diego@SG.ORG.BR cn: Diego Lima userPassword: {KERBEROS}diego@SG.ORG.BR I