Re: [Samba] generate keytab
Hi, does not http.keytab. exported thus: $samba-tool domain exportkeytab http.keytab --principal=HTTP/ ejbca.nisled@nisled.org ouput line: # klist -ke http.keytab Keytab name: WRFILE:http.keytab KVNO Principal -- 2 HTTP/ejbca.nisled@nisled.org (des-cbc-crc) 2 HTTP/ejbca.nisled@nisled.org (des-cbc-md5) 2 HTTP/ejbca.nisled@nisled.org (arcfour-hmac) kinit: # kinit -k -e http.keytab http-ejbca kinit: Key table entry not found while getting initial credentials Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2013/1/25 Andrew Bartlett abart...@samba.org On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote: Please! Don't write into private mail. Thanks. $ Samba-tool user create http-user --random-password $ Samba-tool spn add HTTP/www.nisled.org http-user Okay, you've got user http-user with principals http-u...@nisled.org and HTTP/www.nisled@nisled.org. $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org http.keytab Here you export _only_ HTTP/www.nisled@nisled.org. $ kinit -k -t http.keytab http-user kinit: Key table entry not found while getting initial credentials Of cause, because you didn't export it. Can anyone help me? Export http-u...@nisled.org too. Exactly. While the Samba KDC is smart, and knows these are the same user, the keytab and krb5 client tools are dumb (very), they work on exact string matches, so you have export out exactly the name you want to kinit as, or kinit as HTTP/www.nisled@nisled.org. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Hi, Hi, does not http.keytab. exported thus: $samba-tool domain exportkeytab http.keytab --principal=HTTP/ ejbca.nisled@nisled.org ouput line: # klist -ke http.keytab Keytab name: WRFILE:http.keytab KVNO Principal -- 2 HTTP/ejbca.nisled@nisled.org (des-cbc-crc) 2 HTTP/ejbca.nisled@nisled.org (des-cbc-md5) 2 HTTP/ejbca.nisled@nisled.org (arcfour-hmac) kinit: # kinit -k -e http.keytab http-ejbca kinit: Key table entry not found while getting initial credentials Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. Your kinit line is invalid. If you've exported HTTP/ejbca.nisled@nisled.org, you should kinit (using keytab) as it: kinit -k -e http.keytab HTTP/ejbca.nisled.org (supposing that NISLED.ORG is your default domain) as there were no keytab entries for http-ejbca (even if they are the same on the KDC beeing only as spn for each other) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Hello Friends, keep trying to generate the keytab. Run these commands, most believe that the problem is the encryption methods. $ Samba-tool user create http-user --random-password $ Samba-tool spn add HTTP/www.nisled.org http-user $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org http.keytab The output of the command klist $ Klist-ke http.keytab Keytab name: WRFILE: http.keytab KVNO Home -- 1 HTTP/www.nisled@nisled.org (des-cbc-crc) 1 HTTP/www.nisled@nisled.org (des-cbc-md5) 1 HTTP/www.nisled@nisled.org (arcfour-hmac) kinit command output $ kinit -k -t http.keytab http-user kinit: Key table entry not found while getting initial credentials Can anyone help me? Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2012/12/22 Andrew Bartlett abart...@samba.org On Thu, 2012-12-20 at 14:44 -0200, Clodonil Trigo wrote: Hi Kleb Valoshka, thereby I did. $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org $ samba-tool spn add http/proxy.nisled.org proxy-user does not work, Clodonil 2012/12/20 Hleb Valoshka 375...@gmail.com On 12/20/12, Clodonil Trigo clodo...@nisled.org wrote: $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org Find the difference: samba-tool spn add http/proxy.nisled.org proxy-user $ samba-tool domain exportkeytab /etc/proxy.keytab --principal=http/ proxy.nisled.org At this point some idea of the errors you got where it 'does not work' would be helpful, as would the output of ktlist on the generated keytab: ktutil rkt /etc/proxy.keytab list Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Please! Don't write into private mail. Thanks. $ Samba-tool user create http-user --random-password $ Samba-tool spn add HTTP/www.nisled.org http-user Okay, you've got user http-user with principals http-u...@nisled.org and HTTP/www.nisled@nisled.org. $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org http.keytab Here you export _only_ HTTP/www.nisled@nisled.org. $ kinit -k -t http.keytab http-user kinit: Key table entry not found while getting initial credentials Of cause, because you didn't export it. Can anyone help me? Export http-u...@nisled.org too. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Hi, Looking dns.key he has more encryption options: $ klist -ke dns.keytab Keytab name: WRFILE:dns.keytab KVNO Principal -- 1 DNS/smb4.nisled@nisled.org (des-cbc-crc) 1 dns-s...@nisled.org (des-cbc-crc) 1 DNS/smb4.nisled@nisled.org (des-cbc-md5) 1 dns-s...@nisled.org (des-cbc-md5) 1 DNS/smb4.nisled@nisled.org (arcfour-hmac) 1 dns-s...@nisled.org (arcfour-hmac) 1 DNS/smb4.nisled@nisled.org (aes128-cts-hmac-sha1-96) 1 dns-s...@nisled.org (aes128-cts-hmac-sha1-96) 1 DNS/smb4.nisled@nisled.org (aes256-cts-hmac-sha1-96) 1 dns-s...@nisled.org (aes256-cts-hmac-sha1-96) $ klist -ke http.keytab Keytab name: WRFILE:http.keytab KVNO Principal -- 1 HTTP/ejbca.nisled@nisled.org (des-cbc-crc) 1 HTTP/ejbca.nisled@nisled.org (des-cbc-md5) 1 HTTP/ejbca.nisled@nisled.org (arcfour-hmac) How to enable these encryptions in my http.keytab? Clodonil 2013/1/24 Hleb Valoshka 375...@gmail.com Please! Don't write into private mail. Thanks. $ Samba-tool user create http-user --random-password $ Samba-tool spn add HTTP/www.nisled.org http-user Okay, you've got user http-user with principals http-u...@nisled.org and HTTP/www.nisled@nisled.org. $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org http.keytab Here you export _only_ HTTP/www.nisled@nisled.org. $ kinit -k -t http.keytab http-user kinit: Key table entry not found while getting initial credentials Of cause, because you didn't export it. Can anyone help me? Export http-u...@nisled.org too. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote: Please! Don't write into private mail. Thanks. $ Samba-tool user create http-user --random-password $ Samba-tool spn add HTTP/www.nisled.org http-user Okay, you've got user http-user with principals http-u...@nisled.org and HTTP/www.nisled@nisled.org. $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org http.keytab Here you export _only_ HTTP/www.nisled@nisled.org. $ kinit -k -t http.keytab http-user kinit: Key table entry not found while getting initial credentials Of cause, because you didn't export it. Can anyone help me? Export http-u...@nisled.org too. Exactly. While the Samba KDC is smart, and knows these are the same user, the keytab and krb5 client tools are dumb (very), they work on exact string matches, so you have export out exactly the name you want to kinit as, or kinit as HTTP/www.nisled@nisled.org. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
On Thu, 2012-12-20 at 14:44 -0200, Clodonil Trigo wrote: Hi Kleb Valoshka, thereby I did. $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org $ samba-tool spn add http/proxy.nisled.org proxy-user does not work, Clodonil 2012/12/20 Hleb Valoshka 375...@gmail.com On 12/20/12, Clodonil Trigo clodo...@nisled.org wrote: $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org Find the difference: samba-tool spn add http/proxy.nisled.org proxy-user $ samba-tool domain exportkeytab /etc/proxy.keytab --principal=http/ proxy.nisled.org At this point some idea of the errors you got where it 'does not work' would be helpful, as would the output of ktlist on the generated keytab: ktutil rkt /etc/proxy.keytab list Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Hi, What is the best way to generate the keytab in Samba4 to squid and http? I've used these commands without success: $ samba-tool user add proxy-service $ samba-tool user setexpiry proxy-service -noexpiry $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org $ samba-tool domain exportkeytab /etc/proxy.keytab --principal=http/ proxy.nisled.org I also used this command: $ Msktutil -c-b CN = COMPUTERS-s HTTP/proxy.nisled.org -h -k proxy.nisled.org proxy.keytab - computer-name proxy -upn HTTP/proxy-service.nisle.dorg --server pdc.nisled.org - verbose Can you help me generate this keytab? Clodonil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
On 12/20/12, Clodonil Trigo clodo...@nisled.org wrote: $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org Find the difference: samba-tool spn add http/proxy.nisled.org proxy-user $ samba-tool domain exportkeytab /etc/proxy.keytab --principal=http/ proxy.nisled.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
Hi Kleb Valoshka, thereby I did. $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org $ samba-tool spn add http/proxy.nisled.org proxy-user does not work, Clodonil 2012/12/20 Hleb Valoshka 375...@gmail.com On 12/20/12, Clodonil Trigo clodo...@nisled.org wrote: $ samba-tool user add proxy-user $ samba-tool user setexpiry proxy-user -noexpiry $ samba-tool spn add http/proxy-user proxy.nisled.org Find the difference: samba-tool spn add http/proxy.nisled.org proxy-user $ samba-tool domain exportkeytab /etc/proxy.keytab --principal=http/ proxy.nisled.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba