similar to: Samba4 kinit issue with principal and keytab file

Hi All ! Using Samba Version 4.1.12, updated from source from 4.0beta1 I've created a user, let say kerbuser, for a web server to authenticate with kerberos and provide SSO to the end-users. In my example, my domain is MYDOMAIN.LOCAL, the apache server is webserver.mydomain.local and the AD user is kerbuser I've added a principal on the user and exported everything in a keytab so

Hi Rowland, Thanks for your help again. I understand the difference between the UPN (User Principal Name) and the SPN (Service Principal Name). But in your second exemple, you never mention the SPN, neither in the keytab export or in the kinit command. Does that means that there is no kinit possible using the SPN? So I am worried of what is the benefice of adding a SPN to a user instead of

Hi Rowland, Yes, I read this documentation carefully. I have two working Apache2 with kerberos authentication working. My question is more about troubleshooting a keytab. If I need to test manually a keytab file chalenging a specific principal, what's the prefered method ? I thougt that a kinit could be done using a principal name, but I am unable to kinit with somehting else than the

On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote: > > > On Friday, January 11, 2019 3:14 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > >I have no idea where the above is coming from, but it isn't from > >the dhcp scripts. > > > > I don't know what to tell you,

On Friday, January 11, 2019 11:20 AM, Billy Bob via samba <samba at lists.samba.org> wrote:     On Friday, January 11, 2019 10:44 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: On Fri, 11 Jan 2019 16:13:50 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote: >>> Here is what the logs show WITHOUT the -d option: >>> >>> Jan

Am 20.12.2016 um 14:50 schrieb Brian Candler via samba: > (2) Can "net ads keytab create" be told to extract just a single named > principal? That would simplify things. But I can't see how to. > > As usual... clues gratefully received. samba-tool domain exportkeytab [keytabfile] --principal=[SPN or UPN] In your case samba-tool domain exportkeytab /etc/krb5.keytab

Hi! I maintain Linux servers that are members of a Samba4 Domain. User authentication / login via ssh works fine with Kerberos. But: only via one hostname. Those machines need a working Kerberos login via multiple hostnames (each hostname has its own IP address and DNS is set up correctly.) "net ads keytab list" of course gives me the main hostname that was in use when joining the

> On Sep 14, 2016, at 12:57 PM, Achim Gottinger <achim at ag-web.biz> wrote: > > > > Am 14.09.2016 um 18:23 schrieb Michael A Weber: >> >>> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 05:53

Hai, ? Im working on my dhcp server + dns setup with samba4.? ? i've exported the?keytabs ? samba-tool domain exportkeytab?/home/krb5.keytab.samba4 ? when i read the contents of this keytab ? ktutil rkt /home/krb5.keytab.samba4 list ?? 1??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD ?? 2??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD ?? 3??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD ??

> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > > Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba: >> Experts— >> >> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error: >> >> ERROR(runtime): uncaught exception - Key table entry not

I finally found it, thanks to a clue from https://wiki.archlinux.org/index.php/Active_Directory_Integration This works: kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$' These don't work: kinit -k -t /etc/krb5.keytab kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net kinit -k -t /etc/krb5.keytab host/wrn-radtest That is: the keytab contains three different principals: root

Hello, I try to setup Dovecot with Kerberos/GSSAPI and use this howto: https://wiki.samba.org/index.php/Authenticating_Dovecot_against_Active_Directory#Create_the_Dovecot_user_and_keytab I also try https://wiki.dovecot.org/Authentication/Kerberos I can login as windows user on win7 and access shares. When I open Thunderbird I get the message: "kerberos/gssapi ticket was not accepted"

On Thu, 10 Jan 2019 22:23:41 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote: > > > On Thursday, January 10, 2019 2:56 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > >Uncomment line 10, adjust it for prefix if Samba isn't in /usr/local and then try again. > Here it is with script properly configured. > Regarding

Hi, i'm trying to analyze kerberos traffic using tshark (Samba 4.8.1 on Centos 7). I can't figure out how to extract keytab with password/keys. I follow precisely the instructions at https://wiki.samba.org/index.php/Keytab_Extraction But it seems like I only get slot, kvno and principal, can't find a way to get passwords or keys. Any idea someone ? ktutil: rkt decode.keytab ktutil:

> ... you don't get the /etc/krb5.keytab by default on a DC, you will need > to create it: > > samba-tool domain exportkeytab /etc/krb5.keytab Excellent! Thank you. I've done that now, but I have more issues more appropriate to a reply to mathias' message following. --Mark -----Original Message----- > To: samba at lists.samba.org > From: Rowland penny <rpenny

Thanks Luc, First, can I just use the small /etc/krb5.conf suggested in Samba AD docs or do I need something more substantial on the server & client for Kerberos NFS to work? [libdefaults]         default_realm = SUBDOMAIN.DOMAIN.COM         dns_lookup_realm = false         dns_lookup_kdc = true I understand a /etc/krb5.keytab file has to be created on both server & client. Most

Am 22.01.2015 um 12:28 schrieb Rowland Penny: > On 22/01/15 10:53, Norbert Heinzelmann wrote: >> Hello, >> >> I have the problem that the ACLs are ignored when I mount a share via >> cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it >> with Gentoo and samba 4.1.14). So I joined a member server like the >> wiki describes. Everything

Am 22.01.2015 um 17:17 schrieb Rowland Penny: > On 22/01/15 12:57, Norbert Heinzelmann wrote: >> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>> Hello, >>>> >>>> I have the problem that the ACLs are ignored when I mount a share >>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu

Am 23.01.2015 um 10:19 schrieb Rowland Penny: > On 23/01/15 07:34, Norbert Heinzelmann wrote: >> >> Am 22.01.2015 um 17:17 schrieb Rowland Penny: >>> On 22/01/15 12:57, Norbert Heinzelmann wrote: >>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>>>> Hello,

Hi all, I would like to be able to rely on samba given tools to manage my DNS entries but until now, I failed. >From what I have understood there is one and only one tool responsible to update DNS: samba_dnsupdate. Is that previous affirmation true? I had issue with DNS backend set to internal DNS server: samba_dnsupdate was almost never working. So I switched to Bind-DLZ as advised here