similar to: migrate from existing MIT kerberos / openldap

Hi, I’ve been running a samba 4 DC for quite some time now, and while testing some kerberos related stuff, I noticed that all kerberos tickets I can get from the DC are of encryption type ?arcfour-hmac-md5“: # kinit testuser1 testuser1 at S4DOM.TEST's Password: # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Ticket etype: arcfour-hmac-md5, kvno 1 I can create keytabs containing

Hello, I'm troubleshooting an old backup script that exports and imports users from a Samba database using `samba-tool`. It's implemented so that passwords are exported using "samba-tool user getpassword {username} --attributes=unicodePwd". On the import side, an LDIF file is created in the following format: ``` dn: CN={username},OU=Users,DC=example,DC=com changetype: modify

Hi Trever, things improved after resetting user/machine passwords, however only the session key is using aes256 now, the ticket itself is still arcfour: root at ubuntu1:~# kinit user09999 user09999 at S4DOM.TEST's Password: root at ubuntu1:~# klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: user09999 at S4DOM.TEST Cache version: 4 Server: krbtgt/S4DOM.TEST at

On Mon, 2 Dec 2024 10:54:38 +0100 "Emil.s via samba" <samba at lists.samba.org> wrote: > Hello, > > I'm troubleshooting an old backup script that exports and imports > users from a Samba database using `samba-tool`. > > It's implemented so that passwords are exported using "samba-tool user > getpassword {username} --attributes=unicodePwd".

Is there a mechanism migrate/import user principal information from an MIT KDC into a Samba4 internal KDC? We currently run our Active Directory users with Account Mappings that utilize a cross-realm trust between our MIT KDC (where user principals are maintained) and the Active Directory domain, as documented at *http://tinyurl.com/bx9znca* This works fine for our Windows clients, but it

Citando Andrew Bartlett <abartlet at samba.org>: > On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba > wrote: >> Hi everyone! >> >> I have a LDAP with all my users' accounts, each one with the >> sambaNTPassaword correctly defined. I also have a freshly installed >> Samba >> 4.2 running on a Debian 8.7 box. >> >> I

Hai,   I noticed something strange in the keytab file on my member server. This is a followup of : [Samba] winbind question. (challenge/response password authentication) Samba 4.5.3 on Debian Jessie.   Leave the domain. net ads leave -k Deleted account for 'PROXY2' in realm 'REALM'   I checked in windows, and the computer is gone in the “Computer” ou.   Removed the

Hai,   Im setting up a new proxy with winbind en kerberos auth. So far everything ok but now im setting up my nfsv4 (with automount with systemd) for my user login on that server.   For the new setup i compaired my old proxy with my new proxy. I noticed the old proxy is missing some attibutes in the AD object.   For example, Samba member1 ( installed as 4.3.x ) upgraded to 4.5.3 here

Am 29.04.2019 um 19:21 schrieb Rowland Penny via samba: > On Mon, 29 Apr 2019 19:02:44 +0200 > Christian via samba <samba at lists.samba.org> wrote: > >>>>> Thats a strange one.. >>>>> >>>>>> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": >>>>>> 31 (0x0000001f)

I made some progress with the issue, but didn't solve it completely It's basically a kind of bug (i'm not sure if it's on kerberos side or samba, I think samba is the culprit here (?). Microsoft uses kind of weird SPN for Hyper-V. Weird as there are "spaces" in the string - which is kind of unique as far as SPN's go, usually SPN form a complete string. So I kind

On Sun, 2017-04-09 at 16:12 +0100, Rowland Penny via samba wrote: > On Sun, 09 Apr 2017 14:47:59 +0000 > Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote: > > > > > Is there any chance that this could mean I only need to wipe   > > 'supplementalCredentials' attribute -- I saw that it is possible > > --   > > after set the

I have a Windows 2008 domain (one Win 2008 DC, one Win 2012 R2 DC.) I am trying to join a Solaris 11 machine to the domain for both Samba and other services. For "unix" logins and ssh, Solaris 11 is configured to use LDAP for user and group lookup and kerberos for authentication. The "kclient -T ms_ad" command joins the Solaris machine to the AD domain. It even

On Fri, 2013-10-11 at 16:00 +1300, Andrew Bartlett wrote: > On Fri, 2013-09-13 at 09:10 +0200, christophe wrote: > > Hi, > > > > First guys, I'd like congratulate you. Samba 4 is really a cool product. > > > > I have a little problem though. > > > > The context: > > > > I have Samba4 AD DC working perfectly on a virtual machine >

No, no idee, but really, upgrade to samba, best option, in my opinion. If thats not possible, it happens.. A timeout option can be set in krb5.conf for example : kdc_timeout = 5000 You have these for krb5.conf to try out also. the complete list. des-hmac-sha1 DES with HMAC/sha1 (weak) aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC

Here's the keytab info: ubuntu at kvm7246-vm022:~/samba$ sudo klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 1) 12 host/KVM7246-VM022 at TC83.LOCAL (etype 1) 12 host/kvm7246-vm022.tc83.local at TC83.LOCAL (etype 3) 12

hi, ? i have recently installed a samba 4 in a DC role. The distribution is a debian jessie/sid, the version of samba is 4.1.7. The server is globally working but there is some litle trouble. on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following ? root at station:/var/log/samba# kinit Password for administrator at TOTO.FR: root at

Today's episode of "why is AD break", brought to you by: > [2017/09/05 10:17:06.015617, 3] ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update) > Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not registered with our KDC: Miscellaneous failure (see text): Server (GC/graz-dc-1b.ad.tao.at/ad.tao.at at AD.TAO.AT) unknown > [2017/09/05 10:17:06.015717, 0]

Hi all. I?m trying to understand a weird authentication failure: I have two domains (TC83.LOCAL and TC84.LOCAL), each in a diferent forest, with a bidirectional forest trust. The samba server kvm7246-vm022.maas.local is a domain member of TC83 and is running a recent build from git master (f38077ea5ee). When I test authentication of users in each domain by running ntlm_auth on the samba server,

hi users a novice here hoping to grasp fundamentals soon I have a samba+sssd as a client to an AD - I have all the keytabs for a host(I think) but I noticed weird(to me at least) smbclient behavior. when I do: $ smbclient -L swir -U me at AAA.PRIVATE.DOM -k all works, clients sees local samba's shares, when I do: $ smbclient -L swir.private.aaa.private.dom -U pe243 at AAA.PRIVATE.DOM -k

hello i have been struggling for to long trying to setup the following configuration: debian samba 3 member server of a win 2000 AD here is my configuration: ## smb.conf ## [global] log level = 4 interfaces = 192.168.10.11/255.255.255.0 workgroup = datom realm = datom.dyndns.org server string = samba membre security = ads netbios name = cafeine log file = /var/log/samba/samba.log max log size