similar to: Obtaining TGT using service principal name

Hi Rowland, Thanks for your help again. I understand the difference between the UPN (User Principal Name) and the SPN (Service Principal Name). But in your second exemple, you never mention the SPN, neither in the keytab export or in the kinit command. Does that means that there is no kinit possible using the SPN? So I am worried of what is the benefice of adding a SPN to a user instead of

Hi guys am looking for some guidance on how I can generate some keytab files from a samba 4 DC I been following a tutorial that states some bits on the windows side such as creating an spn C:\Users\Administrator>setspn -A host/test.sondrel.com at SONDREL.COM Test Registering ServicePrincipalNames for CN=Test,OU=Machines,DC=sondrel,DC=com host/envy.sondrel.com at SONDREL.COM Updated

> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > > Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba: >> Experts— >> >> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error: >> >> ERROR(runtime): uncaught exception - Key table entry not

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

I finally found it, thanks to a clue from https://wiki.archlinux.org/index.php/Active_Directory_Integration This works: kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$' These don't work: kinit -k -t /etc/krb5.keytab kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net kinit -k -t /etc/krb5.keytab host/wrn-radtest That is: the keytab contains three different principals: root

> On Sep 14, 2016, at 12:57 PM, Achim Gottinger <achim at ag-web.biz> wrote: > > > > Am 14.09.2016 um 18:23 schrieb Michael A Weber: >> >>> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 05:53

Hello All. I am using Samba AD DC and Linux server with Squid, and I try to configure kerberos authentication for proxy server users. I need to add SPN for user and then export keytab with it to file. I am add user with RSAT and add SPN for it with samba-tool (like https://wiki.samba.org/index.php/Generating_Keytabs): -------------------- root at ad41:/# samba-tool spn list proxy proxy User

Hi, When I have a service on a client that tries to use kerberos and I get errors such as these in the log.samba file: Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Does this mean that the kerberos authentication system is looking for the principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain or in the

Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: > On Wed, 14 Sep 2016 16:23:27 -0500 > Michael A Weber via samba <samba at lists.samba.org> wrote: > >>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> >>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>

Hi! I maintain Linux servers that are members of a Samba4 Domain. User authentication / login via ssh works fine with Kerberos. But: only via one hostname. Those machines need a working Kerberos login via multiple hostnames (each hostname has its own IP address and DNS is set up correctly.) "net ads keytab list" of course gives me the main hostname that was in use when joining the

> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> wrote: > > > > Am 14.09.2016 um 20:33 schrieb Michael A Weber: >> >>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz <mailto:achim at ag-web.biz>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:

Am 16.09.2016 um 22:49 schrieb Rowland Penny via samba: > On Fri, 16 Sep 2016 22:43:42 +0200 > Achim Gottinger via samba <samba at lists.samba.org> wrote: > >> >> Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: >>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>> >>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via

On Fri, 16 Sep 2016 13:00:52 -0700 Robert Moulton via samba <samba at lists.samba.org> wrote: > Achim Gottinger via samba wrote on 9/15/16 1:20 AM: > > > > > > Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: > >> On Wed, 14 Sep 2016 16:23:27 -0500 > >> Michael A Weber via samba <samba at lists.samba.org> wrote: > >> >

Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: > Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >> >> >> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>> On Wed, 14 Sep 2016 16:23:27 -0500 >>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>> >>>>> On Sep 14, 2016, at 2:00 PM, Achim

Am 16.09.2016 um 22:54 schrieb Robert Moulton via samba: > Achim Gottinger via samba wrote on 9/16/16 1:43 PM: >> >> >> Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba: >>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>> >>>> >>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>> On Wed,

> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz> wrote: > > > > Am 14.09.2016 um 19:53 schrieb Michael A Weber: >> >>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 18:23 schrieb

On Fri, Sep 16, 2016 at 6:08 PM, Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > Am 17.09.2016 um 02:36 schrieb Achim Gottinger via samba: >> >> >> >> Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba: >>> >>> >>> >>> Am 17.09.2016 um 01:23 schrieb Robert Moulton: >>>> >>>>

Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: > Rowland Penny via samba wrote on 9/16/16 1:43 PM: >> On Fri, 16 Sep 2016 13:00:52 -0700 >> Robert Moulton via samba <samba at lists.samba.org> wrote: >> >>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>> >>>> >>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny

Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba: > > > Am 17.09.2016 um 01:23 schrieb Robert Moulton: >> Achim Gottinger via samba wrote on 9/16/16 4:14 PM: >>> >>> >>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >>>> >>>> >>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba:

Hi! I think I ran into the same Problem. What I tried so far: 1) * Adopt SPNs on the DC with samba-tool spn * Create keytab on Member with net ads keytab create * Result: ** klist and net ads keytab list on Member match ** samba-tool spn list on DC doesn't 2) * Clear SPNs from Member via net ads keytab flush * Result: ** net ads keytab list on Member is empty ** samba-tool spn list on DC