Gerald (Jerry) Carter wrote:
Yup. That's what I meant. I'll try to repro your results
on Monday (if all goes well). Thanks.
I started up a machine that was on the shelf.
This one had been joined as rc4.
I edited krb5.conf and userAccountControl for des only
My DHCP registers machines in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug VanLeuven wrote:
Do you mean KdcUseRequestedEtypesForTickets = 1 in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ?
If so, since 2004, plus the then hotfix.
Yup. That's what I meant. I'll try to repro your results
on Monday
Gerald (Jerry) Carter wrote:
(a) deriving the DES salt
(b) generating the keytab file
(c) optionally creating the UPN as part of the join.
Please give it a whirl and let me know how it goes.
Our Krb5 code is over 3 years old spreading about
multiple MIT and heimdal versions. It's time for some
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
Thanks for testing this.
2003 Enterprise server
security = ADS
idmap backend = ad
winbind nss info = template sfu
I joined an FC3 using rc4 all is smooth and browsable.
I then removed support for rc4 in enctypes in /etc/krb5.conf.
Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
Thanks for testing this.
OK.
I then removed support for rc4 in enctypes in /etc/krb5.conf.
Edited the machine acct and added the flag for des_only.
The domain controller can't browse the samba server. Get
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug VanLeuven wrote:
Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
File a bug report if you believe this to be true. I'm not at 3.0.23
right now and don't have the time to try it
here. I wouldn't want to
Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug VanLeuven wrote:
Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
File a bug report if you believe this to be true. I'm not at 3.0.23
right now and don't have the time to try it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
I was saying dns domain not equal realm dropped
and rewrite ads join code
No it wasn't. I run with this on a daily basis.
Perhaps something else is attributing to your failures.
First, I'm not having failures. I was commenting
Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
File a bug report if you believe this to be true. I'm
not at 3.0.23 right now and don't have the time to try it
here. I wouldn't want to lose this. I did see a mention
they dropped support of joins from
, July 13, 2006 5:35 PM
To: Scott Armstrong
Cc: 'Doug VanLeuven'; samba@lists.samba.org
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Scott Armstrong wrote:
Or I could add a switch to 'net ads join' that said
create the UPN. I don't really
Scott Armstrong wrote:
First thing - I'd like to say a big THANK YOU to the developers.
I just upgraded to samba-3.0.23 and I've noticed an alarming issue with
respect to my configuration.
I've been using the built-in keytab management and it looks like the updated
code no longer creates the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
File a bug report if you believe this to be true. I'm
not at 3.0.23 right now and don't have the time to try it
here. I wouldn't want to lose this. I did see a mention
they dropped support of joins from machines where
the domain differs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Scott Armstrong wrote:
I've been using the built-in keytab management and it looks
like the updated code no longer creates the userPrincipal
in Active Directory.
I'm still working on the keytab code. There will be more
updates. Sorry I couldn't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Scott Armstrong wrote:
Things still worked fine for existing domain members.
I only noticed it because I added a new system to
the domain. Lines 962-964 of utils/net_ads.c have
comments about the upn but it's never being added.
I rarely program
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Scott Armstrong wrote:
And why can't you use 'kinit -k machine$'?
I probably could do that but I had been trying to keep
things as close to the way I had been creating machine
principals when using an MIT KDC - host/[EMAIL PROTECTED]
The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Scott Armstrong wrote:
Or I could add a switch to 'net ads join' that said
create the UPN. I don't really want to make it
default behavior. Would that be acceptable?
That would be fine although if you can allow the format
of the hostname to
No offense intended, but what is the purpose of
adding the variations of case especially with respect to
the FQDN?
Too much guessing IMO.
True. Very true. But I'll chime in with we got there after
numerous authentication failures at different sites.
It always seemed there had to be a
-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 13, 2006 1:47 PM
To: Doug VanLeuven
Cc: Scott Armstrong; samba@lists.samba.org
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Doug,
File a bug report if you
Jerry,
I used the convention which I'm accustomed to which is that the host
should be added in fqdn form since I was modifying the code myself.
i.e. host/[EMAIL PROTECTED]
Help me understand how you use 'kinit -k' What kind of cron jobs are these?
And why can't you use 'kinit -k machine$'?
If the only reason for the UPN is so its more like MIT, then I'm inclined
to push back and say just precreate
the machine account with a UPN before joining the domain.
Or I could add a switch to 'net ads join' that said create the UPN. I
don't really want to make it default
behavior. Would
20 matches
Mail list logo
