How to authenticate through OpenSSH then sudo with only one Ticket Service (Kerberos TGS host/fqdn) By now, we are using OpenSSH GSSAPI authentication on all of our servers (Debian from 10 to 12). Then we sudo -i, using ldap authentication (through sssd-ldap). I would like to get rid of the ldap authentication and rely on …
Kerberized NFS mounts stopped working with Ubuntu 21.10 (still in 22.10) I’m running a Raspberry Pi 400 with Ubuntu. I used to have a working kerberized NFS connection to a Debian based NFS server using Ubuntu 20.04 LTS. Also I’m running another client with 20.04 LTS which still can connect to the NFS server without …
The kerberos option is deprecated on smbclient, but is the only option working! On Slackware 15 (Samba version 4.15.10) I want to do smbclient, with gssapi/kerberos auth. Of course the kerberos client cache is aready set at login and I can see the file cache in tmp dir. Pam are configured to use pam_krb5 for …
Samba net rpc rights grant SeDiskOperatorPrivilege: NT_STATUS_INVALID_TOKEN I’ve just installed Ubuntu Server 22.04 and joining it to an existing AD as a member server. I’m following this howto: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Everything’s working fine until I get to net rpc rights grant "SAMDOMUnix Admins" SeDiskOperatorPrivilege -U "SAMDOMadministrator" which fails as follows: net rpc rights grant “DOMAINUnix Admins” …
NFS permission denied with sec=krb5p I’m setting up NFSv4.2 with MIT Kerberos (sec=krb5p) on two Hyper-V VMs running Debian 11 (Bullseye). When I use machine-based authentication (sec=sys), everything works fine. With Kerberos (sec=krb5p), I’m able to mount the share on the client, but I see Permission denied when I try to access the share. I’ve …
Edit Sudoers file to allow sudo rights to a AD domain group I recently managed to get my Ubuntu Server 18.04 machine connected to my companies Windows AD. I am able to login with my AD credentials however I want to take it a step further… This is the article I followed in order to …
Fedora 26 NFS + Kerberos "Preauthentication failed" (mount lead to no permission) I’m having a hard time trying to setup nfs + kerberos at Fedora 26. I’ve followed this tutorial: RHEL7: Use Kerberos to control access to NFS network shares | CertDepot At the moment, pure NFS works fine, kinit alone works fine, but I …
Samba not starting on Ubuntu Server 16.10 Samba was running well on ubuntu server 14.04. After upgrading to 16.10 it doesn’t start anymore. I’ve tried also to install samba on a fresh 16.10 vm and it doesn’t work. Here the service error message: root@srvvm:~# systemctl restart smbd Job for smbd.service failed because the control process …
PAM vs LDAP vs SSSD vs Kerberos I am basically aware of what these services do separate from each other. What I want to know: what exactly happens on a successful login in a linux based network that uses all of these services? In which order these services are consulted? What service talks to what …
Why do I get permission denied error when I log out of the SSH session? I have to run some tests on a server at the University. I have ssh access to the server from the desktop in my office. I want to launch a python script on the server that will run several tests …
oddjob_mkhomedir doesn't run when logging in via SSH with Kerberos I currently have a server which has Kerberos/SSSD/Samba to authenticate to Windows 2012 AD. In /etc/pam.d/system-auth oddjob_mkhomedir is set as below: session optional pam_oddjob_mkhomedir.so umask=0077 skel=/etc/skel This was set by running authconfig –enablesssdauth –enablesssd –enablemkhomedir –update. However when logging in via SSH with an AD …
How to automate ktutil to immediately list keytab entries? I use MIT ktutil a lot on Linux and I am fed up using the following sequence, even if command shortcuts and file name completion are here to help: ktutil rkt my.keytab l Isn’t there a way to get the same result in a “one-line” way …
List Kerberos principals with valid TGTs Is it possible to query my (MIT) Kerberos KDC to return a list of principals who have been issued TGTs that are currently valid? My use case is that I would like to find out which users are currently logged in on any machine in a networked environment by …
Understanding Kerberized NFSv4 Authorization Articles such as this one seem to point out that Kerberizing NFS(v4) mounts not only prevents machines without a Kerberos service ticket from mounting the shared directory but also uses the user’s Kerberos ticket to authorize user actions on the shared files. I quote the relevant part: Before NFSv4, security on …
Kerberos authentication fails with forced password change I have configured PAM authentication to use Kerberos and can authenticate correctly with my principals using their Kerberos credentials. I ran into trouble when I tried to create a principal with an expired password: kadmin: addprinc +needchange test_principal When I tried logging in (either from a VT or …
Get a Kerberos service ticket from the command line I am in the process of debugging a Kerberos setup. I have a valid krb5.conf and I can call kinit USERNAME to get a Ticket Granting Ticket (TGT): Credentials cache: /root/krb5cc_root Default principal: USERNAME@EXAMPLE.COM Number of entries: 1 [1] Service principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM Valid starting: Wednesday, June …
How could I eliminate Kerberos for passwd? When I issue a command to change my password like this: sudo passwd huahsin The system prompt me: Current Kerberos password: I don’t know what I have done to the system configuration, how could I eliminate this Kerberos thing when I change my password? Asked By: huahsin68 || …
SSH authentication using gssapi-keyex or gssapi-with-mic (publickey not permitted) My company has disabled SSH public key authentication, therefore I have to manually enter each time my password (I am not suppose to change /etc/ssh/sshd_config). However gssapi-keyex and gssapi-with-mic authentications are enabled (please see below ssh debug output). How could I use automatic login in this …
Keep kerberos ticket across sudo invocation On a regular linux machine, when I use sudo -s as a normal user, I become root but HOME still points to ~user, so every admin has his own environment etc. (this is without env_reset or always_set_home set). On a system where the home directories live on an AFS …
Public Key Auth + Kerberos I’ve setup public key authentication for enabling SSH connection into my university machine. However, it only logs me in on the local machine and doesn’t give me Kerberos credentials which I need for accessing my network folder. This causes problems with tools like git. Is there a way for me …
