wiki change request. page missing in index.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

wiki change request. page missing in index.

Samba - General mailing list
Im notice the following.
 
When you go to :
https://wiki.samba.org/index.php/User_Documentation 
search site: keytab, nothing :-(
 
I cant find anything about keytabs..   ( not on the first sight ), which i needed...
but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs 
 
Can someone add this in the Advanced section and make change where needed.
after this part, or if you have a better place, but its usefull info imho.
........
This should print something like this:

'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96

-------- ^^^^ already on wiki -----



A sAMAccount name can be the hostname of a computer

Then you use: net ads enctypes set HOSTNAME$
! Point of attention: HOSTNAME$.

The hostname in "how its defined in your smb.conf, and after you checked the current keytab file.
(klist -ke  or klist -ke /path_to/your.keytab_file)
 
If the hostname is lowercased, and the netbios name is UPPERCASED, your auth wil fail.
 
for example : 
kinit -k hostname$ /etc/krb5.keytab     not working
but  : 
kinit -k HOSTNAME$ /etc/krb5.keytab     working
 
Howto use these settings in smb.conf, also a point of attention, this example is not the samba default:
dedicated keytab file = /etc/krb5.keytab 
kerberos method = secrets and keytab 
Please read man smb.conf so you know what these 2 setting exact do.
For example, dedicated keytab file setting is used for example when you also need extra UPN/SPN's.
This depend on how you use it and how you configure it. NFS is such example.
 
The hostname used also in smb.conf :     netbios name = .....
The default is adapt the hostname of the server ( in caps ).
( check: testparm -vs | grep "netbios name" )
 
check you keytab file. 
klist -ke |sort   ( use sort because is make it easier to see where what is missing, for example to check if you have 5 encryption types. )
 
net ads keytab create  ( used on a domain member )
This recreates the keytab file, based on the location of dedicated keytab file, in this example, /etc/krb5.keytab 
 
backup your old keytab file, stop samba/winbind , and recreate the new one.
If you did not define dedicated keytab file, the keytab file is in /var/lib/samba/private/secret.keytab  (on debian)
 
! Tip, if you add UPN/SPN's an account, ( for example HOSTNAME$ )
the recreated the keytab now also contains you new SPN/UPN.
 
check again if all encryptions are there.
and chech you rights on the keytab file.
chmod 640 /etc/krb5.keytab     ( its created on debian with 600, i need 640 )
 
 
 
Greetz,
 
Louis
 
 
 
 
 
 
 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: wiki change request. page missing in index.

Samba - General mailing list
On Tue, Aug 08, 2017 at 04:39:51PM +0200, L.P.H. van Belle via samba wrote:
> Im notice the following.
>  
> When you go to :
> https://wiki.samba.org/index.php/User_Documentation 
> search site: keytab, nothing :-(

when I just search for "keytab" via the search menu in the menubar on the left
it sure finds lots of matches:
<https://wiki.samba.org/index.php?title=Special%3ASearch&search=keytab&go=Go>

>  
> I cant find anything about keytabs..   ( not on the first sight ), which i needed...
> but there is this page, ( google was your friend ) : https://wiki.samba.org/index.php/Generating_Keytabs 
>  
> Can someone add this in the Advanced section and make change where needed.
> after this part, or if you have a better place, but its usefull info imho.

Better idea: you create a wiki account and update the documentation
yourself. Much appreciated! I'll send you the captcha via private email.

Cheerio!
-slow

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...