similar to: Domain trust and browsing users and groups problem

After reviewing logs I found that my previous assumption was wrong. Situation: - i'm trying to start live migration from hyper-v host A (BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as user from DOMAIN ADMINS group). Kerberos constrained delegation is set in accordnance to microsoft instructions with proper SPN's set (well, proper as in with the workaround I

Hello, This won't be a very helpful reply, but I can confirm I've had the exact same issue. I ran into this a few years ago and could not get HyperV migrations to work with a Samba DC. I even went so far as to install a Windows DC just to prove to myself that it is supposed to work, and it does, perfectly (with ADDC it even creates all the SPNs for you auto-magically). Unfortunately at

Hi, I hit the issue described in this thread https://groups.google.com/forum/#!topic/linux.samba/VfjW9Af92Wg while testing out s4u2self and s4u2proxy in a windows service, so I wanted to share my setup. So I wrote a small windows service that's running as a local system account to impersonate an user via s4u2self (using LsaLogonUser in win32 api than calling ImpersonateLoggedOnUser) and then

The client can not access the Windows Share after authorization on samba DC samba_dc_server: samba 4.7.6 krb5-libs 1.15.2-7 windows client: windows7 windows_file_server: windows server 2008 /var/log/samba/mit_kdc.log мар 22 15:43:49 samba_dc_server krb5kdc[17891](info): commencing operation мар 22 15:43:56 samba_dc_server krb5kdc[17891](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 10.2.1.12:

Hi list, the behaviour of winbind changed in Samba version 4.8.3. Having this nsswitch.conf: # cat /etc/nsswitch.conf passwd: compat winbind cache group: compat winbind cache shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db

I made some progress with the issue, but didn't solve it completely It's basically a kind of bug (i'm not sure if it's on kerberos side or samba, I think samba is the culprit here (?). Microsoft uses kind of weird SPN for Hyper-V. Weird as there are "spaces" in the string - which is kind of unique as far as SPN's go, usually SPN form a complete string. So I kind

Hi list, this might be related to my other mail with the subject "Domain trust and browsing users and groups problem". We have a forest trust of two domains. One domain in US (us.root.prv) running exclusively on Windows 2012 R2 and one in EU (spreadshirt.private) running exclusively Sernet Samba 4.8.3-11. Both domains run functional level "2008 R2". The trust validates

Hello everyone, I have a FreeNAS server (9.10 running samba 4.3.11-GIT-UNKNOWN) that's recently started emitting this error: gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/nas01 at EXAMPLE.COM(kvno 4) in keytab MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] I've looked at bug 12262 [1], which is why I've cc'd Stefan Metzmacher. I don't

After a user changes their password (CTRL-ALT-DEL) in our Samba 4 domain (4.1.12) they lose access to any stored passwords on their Windows PC. I've set the log level in smb.conf to 4 and enabled the GPO to record DPAPI log entries in Windows to get the below log data. My reading of the two is that the Windows PC believes it is failing to reset the access to its DPAPI store (where the saved

In case you missed the link in the original email, here's the smb.conf: [global] kerberos method = secrets and keytab logging = systemd realm = TC83.LOCAL security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = TC83 idmap config * : range = 1000000-19999999 idmap config * : backend = autorid

I am using Samba with Active Directory. I have successfully joined my Samba server to the domain D1 ( net ads join -U username@D2.DOMAIN.COM ). I am able to succesfully connect from Windows XP clients ( with no password ), but not from Windows 2000 ( even when specifying a password ). With w2k, I always get "Failed to verify incoming ticket!". I think it has something to do with

Hello, I've setup over 6 months ago samba 4 AD on centos 7.3 (self compiled from source). Up until now I didn't encounter any undocumented errors. I have 3 DC's (all samba 4.5.3) which are working pretty nice with over 60 windows clients. The issue I've stumbled upon is when I added Windows server Hyper-V hosts to the domain. Tried with Hyper-V from 2012, 2012r2 and new 2016

On Mon, 2 Jul 2018 08:53:31 +0200 Tino Müller via samba <samba at lists.samba.org> wrote: > Hi list, > > the behaviour of winbind changed in Samba version 4.8.3. > > Having this nsswitch.conf: > # cat /etc/nsswitch.conf > passwd: compat winbind cache > group: compat winbind cache > shadow: compat > > hosts:

On Monday, 2 July 2018 08:53:31 CEST Tino Müller via samba wrote: > Hi list, > > the behaviour of winbind changed in Samba version 4.8.3. > > Having this nsswitch.conf: > # cat /etc/nsswitch.conf > passwd: compat winbind cache > group: compat winbind cache > shadow: compat > > hosts: files dns

Hi, I have a domain with 3 DCs running 4.11.8. The database itself dates back to Samba3 and has been gradually updates over the years. When I check out a ticket I get the following results from klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user at OLDDOMAIN Valid starting Expires Service principal 06/12/2020 23:25:04 06/13/2020 09:25:04 krbtgt/ OLDDOMAIN at

Hey I just discovered that one of the Promo pages [1] points to a spread shirt shop [2]. Maybe this link should be removed as I don't think Lance is still involved? Or can we take it over somehow? Cheers Didi [1] http://wiki.centos.org/SpecialInterestGroup/Promo/TODO [2] http://centos.spreadshirt.com/us/US/Shop/ -- My www page: www.ribalba.de Email / Jabber: ribalba at gmail.com Skype

I am able to get a kerberos ticket with kinit. When I try to net ads join, it seems to loop. In running net ads join in -d 10, I found that it tries enctypes 18,17,16,and 2 and then repeats, over and over. It does not seem to work on any of these. I'm trying to get it to join a win2k3 domain. Below is the bottom part of the log from net ads join, as well as some of my krb5.conf. Any

Hello. I'm having difficulty running kerberized samba on my Linux box in my Windows ADS domain. Specifically, smbclient -k //server/share fails with a "session setup failed: NT_STATUS_LOGON_FAILURE" error message. I ran smbd with -d 3 debugging verbosity, and the following came out on stdout/stderr. I marked the interesting lines with ***'s: # smbd -i -d 3

Here's the keytab info: ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12

Your config looks ok, as far i can tell. This : "cifs/kvm7246-vm022.maas.local at TC84.LOCAL" As it should spn/hostname.fqdn at REALM nothing wrong with that. But if i understand it right. Your server : kvm7246-vm022.maas.local is in REALM : TC83.LOCAL ( NTDOM:TC83 ) But you get TC84 back?. On the problem server run the following: dig a kvm7246-vm022.maas.local @IP_of_AD-DC