similar to: krbtgt user not showing aes types

Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at

On 14/07/15 15:46, Trever L. Adams wrote: > I have found source4/scripting/devel/chgtdcpass for adding the aes types > to machines. I know you have to change the password of normal users. > > How do you fix this for krbtgt? Can you just change the password? Is > there a recommended method? > > Thank you for any help, > Trever > > > You could try looking here:

Can you do this against the secrets.keytab in Samba's private/ dir? > You can reset the Samba machine account pw with > ./source4/scripting/devel/chgtdcpass, but: > - it wont be packaged so you will have to build Samba and tell it to > operate against the right paths > - it shouldn't be needed, upgrades shouldn't break this, and > understanding the root cause

Am 21.06.2017 um 00:50 schrieb Andrew Bartlett: > On Tue, 2017-06-20 at 23:35 +0200, Achim Gottinger via samba wrote: >> Can you do this against the secrets.keytab in Samba's private/ dir? >>> You can reset the Samba machine account pw with >>> ./source4/scripting/devel/chgtdcpass, but: >>> - it wont be packaged so you will have to build Samba and tell it

Hi, I have a domain with 3 DCs running 4.11.8. The database itself dates back to Samba3 and has been gradually updates over the years. When I check out a ticket I get the following results from klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at OLDDOMAIN Valid starting Expires Service principal 06/12/2020 23:25:04 06/13/2020 09:25:04 krbtgt/ OLDDOMAIN at

Hi, I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: # kinit testuser1 testuser1 at S4DOM.TEST's Password: # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Ticket etype: arcfour-hmac-md5, kvno 1 I can create keytabs containing

https://bugzilla.netfilter.org/show_bug.cgi?id=1303 Bug ID: 1303 Summary: nft improperly merges intervals Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org

On 08/19/2015 12:02 AM, Ritter, Marcel (RRZE) wrote: > Hi Trever, > > things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: > > root at ubuntu1:~# kinit user09999 > user09999 at S4DOM.TEST's Password: > root at ubuntu1:~# klist -v > Credentials cache: FILE:/tmp/krb5cc_0 >

I am not sure how to get the symbols necessary, however the following is the backtrace (this is Fedora 19 latest everything): Jul 8 03:23:02 MX dovecot: auth: Fatal: block_alloc(2147483648): Out of memory Jul 8 03:23:02 MX dovecot: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x5f437) [0x7f97a952f437] -> /usr/lib64/dovecot/libdovecot.so.0(+0x5f4fe) [0x7f97a952f4fe] ->

Hello, I have a DC that sits on a different subnet from the CUPS server that I would like to use. I would rather not install CUPS on the DC. Is it possible to change the server name away from localhost for the CUPS backend and have it connect to that other server to get the printers (load printers = yes) and print to that server? Must I have a CUPS installation on the DC? Thank you, Trever

With a recent update, I started seeing this: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_cert: Can't open file /etc/letsencrypt/live/SERVER/fullchain.pem: Permission denied 1 4 * * * vmail /usr/bin/doveadm expunge -A mailbox MAILBOXINQUESTION savedbefore 1w is one of the crontab entries I am seeing this for. Is there an option to keep doveadm

Hi, > > Why don't you create a Member server with cups installed?. I suppose > that you have a gateway between both subnets, right? > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > https://wiki.samba.org/index.php/Samba_as_a_print_server > > With that, the cups server can authenticate the users using the DC > server and you just need to print

So, one of the problems I am seeing is that people are trying to fake users into revealing information by sending from an outside domain but with an internal reply to address and claiming to be administration, IT or what not. I can set up something that will reject if from is outside the domain by reply to is internal. The problem is in some setups, there are fetchmail setups. I do not want to

On Fri, 2020-10-30 at 15:21 +0100, Norbert Hanke via samba wrote: > On 29.10.2020 18:27, Tom Diehl via samba wrote: > > > > Maybe I am missing something, but what is the secure way to run an > > automated > > backup on recent versions of samba? Can samba-tool domain backup be > > made to use > > kerberos so I do not need to store an admin password in an >

I am using 2.0.8. Anonymous binds are no longer supported in the environment I am using. I need to change my userdb ldap setup to bind. I believe the ldap server does Kerberos (or can) authentication. My users are authenticating using Kerberos or Kerberos/PAM. This needs to stay in place. Can anyone suggest how I might go about changing my setup to work? My current ldap setup is as follows (the

https://bugzilla.netfilter.org/show_bug.cgi?id=1302 Bug ID: 1302 Summary: iptables v1.8.0 (nf_tables) has a problem inverting in-interface and maybe out Product: iptables Version: CVS (please indicate timestamp) Hardware: x86_64 OS: All Status: NEW Severity: major Priority:

On Sat, 2020-06-13 at 06:41 +0000, Sebastian Lisic via samba wrote: > Hi, > > I have a domain with 3 DCs running 4.11.8. The database itself dates > back to Samba3 and has been gradually updates over the years. I'm not sure why, but this probably doesn't have all the encryption types for either the user or the krbtgt account. Change the password on both. The user account

Good Day All I have been trying to upgrade from samba 3 to samba 4.2.1 on Ubuntu 14.4 using the sernet-samba package. the upgrade seems to work fine and the samba4 comes up correctlly, I have also run the following script to get rid of bug https://git.samba.org/?p=samba.git;a=blob_plain;f=source4/scripting/devel/chgtdcpass;h=4f5ea15a80c2862daf170a5657658a8163174f8a;hb=HEAD I am able to

Great Rowland!!! in fact by using the line server service = +dns I am able to have the internal DNS and the kerberos server working!! now kinit works just fine thanks! (btw, do we have the list of "services" that we can put in the smb.conf?) ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services

On Sun, 2019-11-03 at 16:24 +0100, Johannes Engel via samba wrote: > 2 hours and I am a little further: > Helped myself with Andrew's script in source4/scripts/devel/chgtdcpass > which updated the machine password as well as the keytab. > After a restart samba keeps complaining now that the (outdated) KVNO 6 is > no longer part of the secrets.keytab: > [2019/11/03