Displaying 20 results from an estimated 10000 matches similar to: "Joining Samba4 to Win 2008 AD domain breaks other kerberos functions"
2017 Mar 16
0
Joining Samba4 to Win 2008 AD domain breaks other kerberos functions
Samba expects the keytab file as /etc/krb5.keytab.
Solaris 11 looks for a keytab file in /etc/krb5/krb5.keytab
When samba joins the domain it (probably) updates the machine password
and then updates its krb5.keytab file. When connecting via ssh,
the system would use a keytab file that had the wrong kvno and probably
the wrong password key.
The following symlink command fixed ssh
2017 Nov 10
2
Slow Kerberos Authentication
No, no idee, but really, upgrade to samba, best option, in my opinion.
If thats not possible, it happens..
A timeout option can be set in krb5.conf
for example : kdc_timeout = 5000
You have these for krb5.conf to try out also.
the complete list.
des-hmac-sha1
DES with HMAC/sha1 (weak)
aes256-cts-hmac-sha1-96 aes256-cts AES-256
CTS mode with 96-bit SHA-1 HMAC
2009 Nov 05
1
Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
Good Morning,
We have a network of Solaris 10 machines authenticating and doing name
lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and
self/gssapi credentials. Each machine has a machine account that is
prepared via a script with the following attributes:
userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT |
DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
2013 Jun 05
3
Samba4 and NVSv4
Short story: cannot get Kerberized NFSv4 to work. I've googled a great
deal and cannot find where I have goofed (and there sure is a lot of
misleading and just plain incorrect information out there), so would
appreciate another pair of eyes. NFSv4 without Kerberos does work fine, as
does ID mapping. We're using NFSv4 in production with sec=sys, but I'm not
happy with that. My
2013 Jun 05
3
Samba4 and NVSv4
Short story: cannot get Kerberized NFSv4 to work. I've googled a great
deal and cannot find where I have goofed (and there sure is a lot of
misleading and just plain incorrect information out there), so would
appreciate another pair of eyes. NFSv4 without Kerberos does work fine, as
does ID mapping. We're using NFSv4 in production with sec=sys, but I'm not
happy with that. My
2017 Nov 09
3
Slow Kerberos Authentication
Hai,
You may need to add the the following in krb5.conf
[libdefaults]
allow_weak_crypto = true
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes128-cts-hmac-sha1-96
2019 Feb 26
2
gpo not applied a boot computer
THANK YOU FOR YOUR REPLY
THE RESULT :
KVNO Principal
----
--------------------------------------------------------------------------
1 HOST/samba4 at FSS.LAN (des-cbc-crc)
1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-crc)
1 SAMBA4$@FSS.LAN (des-cbc-crc)
1 HOST/samba4 at FSS.LAN (des-cbc-md5)
1 HOST/samba4.fss.lan at FSS.LAN (des-cbc-md5)
1 SAMBA4$@FSS.LAN (des-cbc-md5)
1
2019 Nov 05
7
Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Ok,
Your keytab looks ok now.
oldsamba.dom.corp is an alias for fs-a.oldsamba.dom.corp.
fs-a.dom.corp has address 10.0.0.2
i would have expected here.
oldsamba.dom.corp is an alias for fs-a.dom.corp.
fs-a.dom.corp has address 10.0.0.2
Or was that a typo? I assuming a typo..
About your setup from the script outpout.
Change this one.
/etc/hosts
10.0.0.2 fs-a.dom.corp fs-a oldsamba #
2019 Nov 05
5
Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
Ok, you did to much as far i can tell.
You want to see this: i'll show my output, then i is better to see what i mean.
this is where you start with.
klist -ke |sort ( default member )
---- --------------------------------------------------------------------------
3 host/HOSTNAME1 at REALM.DOMAIN.TLD (aes128-cts-hmac-sha1-96)
3 host/HOSTNAME1 at REALM.DOMAIN.TLD
2017 Feb 01
2
gpupdate - Failed to find DC1 in keytab
Can someone help me with samba4 with internal dns. Something strange
showing in log.smbd when computers are doing gpupdate (becouse of this
error computers cant apply gpo)
log.smbd on DC1:
[2017/01/13 13:49:16.075361, 1]
../source4/auth/gensec/gensec_gssapi.c:619(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure
(see text): Failed to find
2017 Feb 01
3
samba creating keytabs... ( possible bug, can someone confirm this )
Hai,
I noticed something strange in the keytab file on my member server.
This is a followup of : [Samba] winbind question. (challenge/response password authentication)
Samba 4.5.3 on Debian Jessie.
Leave the domain.
net ads leave -k
Deleted account for 'PROXY2' in realm 'REALM'
I checked in windows, and the computer is gone in the “Computer” ou.
Removed the
2019 Nov 15
3
Why is smbd looking for Kerberos principal cifs/host@DOMB when it is a member of DOMA?
Here's the keytab info:
ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1)
12 host/KVM7246-VM022 at TC83.LOCAL (etype 1)
12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3)
12
2020 Jul 14
1
Error trying to access samba sharing using netbios name
am getting this error in smbd.log when user try to open Share from Windows
box:
gss_accept_sec_context failed with [ Miscellaneous failure (see text):
Failed to find cifs/mymember.my.domain.tld at MY.DOMAIN.TLD(kvno 58) in keytab
MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
I have made a research here in google and here in mail
2017 Feb 03
2
gpupdate - Failed to find DC1 in keytab
On Fri, 3 Feb 2017 16:00:45 +0100
Łukasz Sellmann via samba <samba at lists.samba.org> wrote:
> any ideas ? please i got stuck and have no ideas what else i can do
>
>
> pozdrawiam
>
> Łukasz Sellmann
>
> 2017-02-01 17:50 GMT+01:00 Łukasz Sellmann <bravo.galaxy at gmail.com>:
>
> > Can someone help me with samba4 with internal dns. Something
2017 Feb 01
1
winbind question. (challenge/response password authentication)
Hai,
Im setting up a new proxy and im testing a bit around.
Goal is, get everyting working with minimal changes to the system.
Setup: Debian 8 with NFS nfsv3 and v4 (krb) automounts, winbind 4.5.3 , squid 3.5.24 (with ssl support)
Which is basicly a copy of my other proxy but a new install with more systemd and less packages used.
Working:
- ssh logins with AD users.
2016 Jul 18
3
samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
On 18.07.2016 22:48, Achim Gottinger wrote:
>
>
> Am 18.07.2016 um 11:45 schrieb Norbert Hanke:
>> On 18.07.2016 01:52, Achim Gottinger wrote:
>>>
>>>
>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>>>> Hello,
>>>>
>>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC,
>>>> both with
2014 Dec 22
2
How to disable des and rc4 in the active directory domain controller ?
Hi,
When I run 'samba-tool domain exportkeytab', I found the exported
keytab file include arcfour-hmac-md5, aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des-cbc-md5, and des-cbc-crc. It seems that
modify /etc/krb5.conf no help.
My DC running with samba 4.1.13, and the server role is active
directory domain controller.
Thanks,
Dongsheng
2016 Aug 22
1
Upgrade 4.2.14 --> 4.3.11
Hi,
I had Samba 4.2.14 working as AD DC with shares. After upgrade to version 4.3.11 AD DC authentication, ADUC, etc, stopped working. Shares still work fine.
OS. Oracle Linux 6.x with UEK, uptodate. Samba compiled from source.
Upgrade procedure (nothing special):
./configure --enable-selftest
make
make install
Testparm output:
# Global parameters
[global]
workgroup = EXAMPLE
realm =
2017 Jan 18
1
AD attibutes of the (in this case) member servers differences.
Hai,
Im setting up a new proxy with winbind en kerberos auth.
So far everything ok but now im setting up my nfsv4 (with automount with systemd) for my user login on that server.
For the new setup i compaired my old proxy with my new proxy.
I noticed the old proxy is missing some attibutes in the AD object.
For example,
Samba member1 ( installed as 4.3.x ) upgraded to 4.5.3 here
2016 Dec 19
5
Problem with keytab: "Client not found in Kerberos database"
I am trying to use a keytab for a client machine to authenticate to
Samba's own LDAP server.
The samba servers (replicated) are ubuntu 16.04 with samba 4.5.2
compiled from source.
The client machine is ubuntu 16.04 with stock samba 4.3.11. It has been
joined directly to the Samba domain ("net ads join"). I have also
extracted a keytab ("net ads keytab create -P")