Questions tagged [kerberos]
Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.
1,181
questions
0
votes
0
answers
27
views
Determine which app send requests to Kerberos
We have a guacamole/mstsc in order to get to our windows instances, the problem in additional requests which comes from background application and i cant determine which one is that.
For example.
I ...
- 101
0
votes
1
answer
59
views
Can't connect cifs share : 128 key has been revoked
Since 1 month, i can't connect to my DFS share from any Linux server.
[root@server /]# mount -t cifs //server/share/saves /mnt -o username=user,domain=domain.com
Password for user@//server/share/...
- 155
0
votes
1
answer
77
views
Windows security event ID 4769 Kerberos Error on single user Domain
I have a test lab with a single Windows Server 2019 and a single Windows 10 Pro PC that connects to it, with a single user, me. I test our own software on it and that's it.
As of the past few days I ...
- 61
-1
votes
1
answer
233
views
How can I automate joining a Linux container to a Samba Domain?
I have a Samba domain controller (also running in a container) and I would like to start a new container and have it become a member of the domain. The normal process for this is to enter the ...
- 109
0
votes
0
answers
46
views
SSH config for remote servers using kerberos [migrated]
I connect to my remote server using:
ssh -At [email protected] ssh -At [email protected]
The following only asks me for a password one time. I do not have any authentication file on my computer, ...
- 101
-1
votes
2
answers
112
views
why are multiple Kerberos TGTs visible thru klist?
I just started trying to understand kerberos and stumbled across the two TGTs on my system too - then I found the post multiple LDAP and krbtgt tickets generated.
I read into Kerberos delegation, but ...
- 1
-1
votes
1
answer
66
views
Active directory server set up DNS resolution failure or VERY SLOW, can I route external DNS requests the traditional way, before the server existed?
I'm very new to the world of active directory, windows server etc., so I apologise if some of the questions I ask are a bit stupid, but I'll try and explain exactly what I want to do below, and my ...
0
votes
0
answers
138
views
SSO not working between a browser and a Keycloak using an user federation with kerberos integration to a windows AD
I am trying to get SSO working using a browser(Chrome or firefox) and keycloak configured with an user federation AD Domain(kerberos is configured).
First I present the overview of what I have and ...
0
votes
0
answers
142
views
"LDAP bind dn value missing" error when setting up Kerberos and OpenLDAP on Ubuntu 22.04
I have been following [these][1] instructions for setting up Kerberos to use an existing OpenLDAP server as its backend.
I have run into a problem in the very last step. I am trying to add an existing ...
- 111
0
votes
1
answer
112
views
sudo with Kerberos credentials
We are on Oracle Linux 7.9, which is part of a Kerberos realm.
I would like account foo to be able to execute (without any password) one command as account bar with Kerberos credentials of bar ...
- 173
0
votes
0
answers
88
views
Request to Kerberos authenticated API considered unauthorized despite having kerberos ticket in authorization header
I am trying to call a Flask API endpoint (http://monarch.example.com:8080/) hosted in Apache web server in a Linux machine. This endpoint is protected by Kerberos authentication. I use kinit user to ...
1
vote
1
answer
64
views
How to update encryption type of the kerberos stash?
Recent security updates have started causing the following warning to appear in kdc logs:
krb5kdc[1127011]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1
Given that newer ...
- 13
1
vote
0
answers
65
views
Custom RPC Kerberos authentication working on Samba but dont Windows
I have implemented an RPC client in C# which uses GSS/SPNEGO authentication. I am trying to connect to the standard/Active Directory services (DRSAPI, SAMR etc...) on the server. The authentication ...
- 11
1
vote
0
answers
122
views
Kerberos Migration Issues - Ubuntu Server
We are in the process of migarting the active directory from a Debian server to Ubuntu. LDAP (Slapd), libnss, kerberos, pam, and nfs have been configured. However on client login attempt the server ...
- 11
0
votes
1
answer
238
views
Refresh kerberos ticket instead of prompting for pam password
Using centralised auth against FreeIPA is working great. In order to use Kerberos SSO when using ssh, scp etc from jumphosts users must initiate their Kerberos tickets first with kinit. I've added ...
- 13
1
vote
2
answers
227
views
How do I query user attributes from a Samba AD DC in Linux with Kerberos auth?
An answer exists for querying AD with password auth, which is working fine locally. What about Kerberos auth? Running ldapsearch with GSSAPI auth yields the following error:
$ ldapsearch -ZZ -Y GSSAPI ...
- 163
0
votes
0
answers
379
views
Multiple Kerberos Providers in Keycloak
I have a Keycloak with 2 different LDAP Providers which include Kerberos Authentication.
Provider A is on first priority, provider B on second priority. Both provider settings provide their different ...
- 131
2
votes
1
answer
131
views
Able to get Kerberised NFSv4 export mounted once, not subsequently. 'Access denied by server while mounting'; 'Additional pre-authentication required'
Able to get Kerberised NFSv4 export mounted once, not subsequently. 'Access denied by server while mounting'; 'Additional pre-authentication required'
Hi,
I'm new to Kerberos, but have some experience ...
- 31
0
votes
1
answer
30
views
What's wrong with my nagios kdc configuration?
I want to setup a service to check the kdc with nagios.
With my kdc (samba4) I create the user using this script
#!/bin/bash
USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1....
- 328
1
vote
1
answer
206
views
Overriding win/kerberos computer secure channel
Is there a way to completely ignore/override/overrule establishing a secure channel? I'm trying to revert a VM snapshot to test something, and the domain controller is being obnoxious and not allowing ...
- 149
0
votes
1
answer
179
views
multiple LDAP and krbtgt tickets generated
I was doing some testing to understand Kerberos behavior, I have a user Alice logged into a machine part of lab.local domain, after sign in, I run net user \dc\sysvol to trigger service ticket request ...
- 3
0
votes
1
answer
135
views
Server 2019 Domain Controller SMBclient cannot map NetApp Drives
I am supporting Windows again after many years. This client I'm assigned to has Domain Controllers running 2008r2 and 2012r2 and they want Azure AD Connect Password Hash Sync. The minimum requirement ...
- 162
1
vote
0
answers
269
views
Windows Remote Desktop defaulting to NTLM
The issue:
I have a Virtual Host - VHost.domian.com. When I try to connect from my laptop - Laptop.domain.com - it seems to be trying to use NTLM for authentication and not Kerberos. Note: My laptop ...
0
votes
1
answer
1k
views
Invalidate all Kerberos Tickets of a Domain User
I deactivated an active directory domain user and logged off his computer. I am not sure, maybe he is logged on anywhere else (some switch, router,..) so i was curious if it is possible to invalidate ...
- 5
0
votes
1
answer
89
views
Start multiple dependent daemons in one systemd service
I set up a FreeRADIUS server with a SQL backend running on a remote MariaDB instance. Authentication and traffic encryption should be handled by Kerberos using k5start to maintain the tickets. The ...
- 285
0
votes
0
answers
162
views
Failed to parse SPNEGO request
So I wanted to experiment with this smbprotocol in local docker (compose) network controlled environment and in all my attempts, I've been able to solve a lot of issues that always seem to return me ...
- 101
0
votes
1
answer
136
views
pgadmin4 using kerberos authentication returns error "Kerberos authentication failed. Couldn't find kerberos ticket"
My environment:
MIT Kerberos server on Red Hat 8.8
PostgreSQL server v15.3 on Red Hat 8.8
PostgreSQL client v15.3 on Ubuntu 22.04 Desktop
I have configured PostgreSQL server to use Kerberos. On my ...
- 101
0
votes
0
answers
260
views
Setup kerberos with nfsv4 for no_root_squash mounts
I am very new to kerberos and nfs. Kindly help to know if this is feasible. The NFS server is Truenas scale and client is ubuntu 22.04 desktop.
nfs v4 is enabled in Truenas server and exports /export/...
- 13
2
votes
1
answer
1k
views
How can I send DNS Resource Record updates from Linux to a Windows Active Directory DNS zone that only accepts secure updates?
My company has an existing Windows AD DNS zone that I do not directly manage (but i know the folks who do manage it). The zone will accept dynamic updates, but the updates must be "secure". ...
- 325
1
vote
1
answer
298
views
Setup SSO : openldap, kerberos, nfs(truenas) :
Currently I am able to setup a SSO NFS setup with openldap ldap server and Truenas NFS server (with LDAP access configured). The ubuntu clients are able to use pam-mount to mount the nfs home shares. ...
- 13
1
vote
2
answers
281
views
Add member to kerberos domain programatically
I want to have an embedded device join a Linux based AD/DC domain. I have kerberos libraries (no executables) on the embedded device. I have an application on the embedded device that can ...
0
votes
1
answer
165
views
Linux, Basic password authentication against 2 different AD without joining domain
We have AIX and Linux servers running with basic password authentication against a Windows AD using Kerberos, so it are local users with a username identical to their sAMAccountName in the AD and all ...
- 1
1
vote
1
answer
980
views
Auto-renewing kerberos tickets with SSSD/AD
I've been trying to get users' ccache files to auto-renew with a couple methods neither of which are exactly working for me. This is a debian 11 box, MIT kerberos. My preferred option is to auto-renew ...
- 123
0
votes
0
answers
243
views
Failing to decrypt kerberos AP_REP with wireshark
I'm trying to decrypt kerberos traffic with wireshark for the learning purposes. My process of following:
First I retrive keytab for the test user with kadmin
kadmin.local: ktadd -k vdzh-fin.keytab ...
- 1
1
vote
1
answer
1k
views
List kerberos tickets, expiration details with SSSD/realm
tl;dr - how do I check details of users' kerberos tickets to confirm they are being renewed as I've sought to configure, using realm or sssd (no klist installed)?
Hi - I'm on a Debian 11 system which ...
- 123
0
votes
2
answers
2k
views
Accessing Windows file server by alias name
What could be the possible problems with accessing a Windows file server shares using a DNS CNAME instead of the actual computer name? The file server is joined to an Active Directory domain, but is ...
- 354
2
votes
1
answer
711
views
How to enable Kerberos delegation from SQL Server to DFS File Share
I am trying to enable my MSSQL database users to BULK INSERT / OPENROWSET() a CSV file that is stored on our DFS/cifs/smb network shares.
Initial Setup
I have the MSSQL service set to run as a domain ...
- 175
0
votes
1
answer
602
views
Kerberos auth from non-domain joined machines using custom UPN suffix
I am trying to access resources inside an Active Directory domain from a non-domain joined Windows 10 machine. The domain is ad.example.com, but there is also the alternative UPN suffix example.com.
...
- 1
0
votes
0
answers
527
views
Impact of KrbTgtFullPAC Signature (CVE-2022-37967) patches
I am a bit concerned about the Windows November 2022 patches that introduced signing of the PAC-Field in Kerberostickets.
There is a RegKey(“KrbtgtFullPacSignature”) that, if set to auditmode, accept ...
0
votes
1
answer
485
views
Kerberos settings in GPO never seem to apply in spite of the GPO otherwise working
Server 2019 Domain Environment. Issue is related to the DCs themselves.
I've a self-created GPO on my DC OU that sets a bunch of things, several of which are Kerberos settings:
Curiously, while ...
- 341
1
vote
1
answer
327
views
Cannot initialize openLDAP-backed kerberos realm using krb5_ldap_util with startTLS?
I have set up an openLDAP backed MIT Kerberos realm on a server after much iteration, and I am now trying to move it to its own server. When I first set it up on the original server, I created a ...
- 163
0
votes
1
answer
2k
views
SSSD is not creating a krb5.conf file after realm join, not able to `id` domain users, why?
The main problem is after I join the domain, I cannot id a domain user. Be aware I am not rebooting the host, do I need to? I would think I wouldn't need to.
After doing some basic troubleshooting I ...
- 287
0
votes
0
answers
261
views
Does Kerberos OOB Patch Change RC4-HMAC Settings on DC
I have a very specific question before we deploy the November 2022 OOB patch to resolve the Kerberos deal on our DCs.
1st - I ran a klist command on a Windows box and it returns about 16 server ...
- 101
0
votes
1
answer
617
views
Same FQDN for different IP depending on connection
I run a Kerberos / LDAP user authentication on Debian, which works nicely for decades. I now would like to use notebooks, which may connect by wire or by WiFi. I'm stuck thinking how to set up this ...
- 285
0
votes
0
answers
142
views
Active Directory: How to allow a foreign server to authenticate with a delegated ticket
It is a complex setup, which I want to explain first (if you dont care, just scroll to 5) ) :
1) Company has multiple Active Directory Forests, which are:
user.local --> here are all user accounts ...
1
vote
0
answers
302
views
Kerberos delegation is failing to work with Java application
I have a Java web application running on Tomcat and Linux.
This application uses Kerberos authentication for clients, so workstations are able to connect to the site and their windows credentials will ...
- 923
0
votes
1
answer
819
views
Kerberos has (partly?) no support for AES256 on Ubuntu 22.04
I have an issue trying to do a kinit on ubuntu 22.04 with a user that has the "This account supports Kerberos AES 256 bit encryption" checkmark set.
I can kinit without issues to a user that ...
2
votes
1
answer
10k
views
Still suffering from Windows NPS May 2022 Certficate Update
in May 2022 Microsoft changed the way that client certificates are mapped to AD accounts, causing 802.1X EAP-TLS computer account authentication to stop working.
Here is an additional resource with ...
- 181
0
votes
0
answers
213
views
Apache - authorize users either by client certificate or by ldap group membership
I use Apache as a reverse proxy to check the authorization of incoming requests. Until now only Kerberos was provided as authentication method for "/" and client certificates for "/api&...
- 1
1
vote
1
answer
575
views
GPO settings for Kerberos authentication
My customer requires SSO in Windows domain for my Linux-based web/application server. Server have its own keytab installed and it all does work fine. Windows domain (EXAMPLE.ORG) have a service user ...
- 508