Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might work for you because Samba can recover the keytab with the help of the stored plain text password.
With 'adcli update' you have to kinit first as a use which can update the password and then use the --login-ccache option because chances are you cannot kinit with the keytab anymore. But you should use an account which is only allowed to update the password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye, Sumit
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
Thanks, "net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 3:57 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might work for you because Samba can recover the keytab with the help of the stored plain text password.
With 'adcli update' you have to kinit first as a use which can update the password and then use the --login-ccache option because chances are you cannot kinit with the keytab anymore. But you should use an account which is only allowed to update the password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye, Sumit
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Mon, 9 Jul 2018, Ondrej Valousek wrote:
Thanks, "net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
It does *what*?!!!
jh
Talking about renewing keys. In our setup we use a service account which has the rights to join machines to the domain, the Linux workstations are in s special OU. I run a cron job which calls msktutil --auto-update every day to renew the machine password if over 30 days. As discussed in another thread I am not sure if our setup is using adcli autmatically from sssd to renew the machine password.
Yesterday the msktutil failed on one machine, as it looked like the Kerberos ticket for that service account expired. I did a kinit as that user and everything worked with the msktutil. Password was over 30 days old and it got renewed.
However I am a bit troubled here - surely I do not have to renew the service account ticket every N days also. What a ruddy big faff...
On 9 July 2018 at 16:23, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Mon, 9 Jul 2018, Ondrej Valousek wrote:
Thanks,
"net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
It does *what*?!!!
jh _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.or g/archives/list/sssd-users@lists.fedorahosted.org/message/UB GWXKSGSXVD5FYUK7YYHD6BLETMEXVO/
On Mon, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote:
Thanks, "net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
Do you have 'netbios name' set in your smb.conf? This is where net should got your hostname from.
You can '-d 10' to see in more details what net is doing.
Nevertheless all the entries it currently creates should use the same keys based on the host password stored by Samba. You can check this with 'klist -k -K -e'.
bye, Sumit
Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 3:57 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might work for you because Samba can recover the keytab with the help of the stored plain text password.
With 'adcli update' you have to kinit first as a use which can update the password and then use the --login-ccache option because chances are you cannot kinit with the keytab anymore. But you should use an account which is only allowed to update the password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye, Sumit
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
Hi, Ok, I did not have 'netbios name' in my smb.conf (which is a simple 4-liner). I added it but it did not make any difference. In summary, it fills my keytab with entries like (as per klist -k -K):
<someones_username>/<myhost>@<KERBEROS_REALM> Or <some_hostname>/<myhost>@<KERBEROS_REALM>
Where <someones_username> is a username of someone in AD and <some_hostname> is a hostname of some machine joined to AD. This command actually runs for a very long time, generating very big keytab - I guess if I left it running (I break it via Ctrl-C after a minute or so), it would eventually populate my keytab with all accounts in AD.
Whereas I would expect this would actually do:
<MYHOST$>@<KERBEROS_REALM> + all SPNs set in AD, i.e: Host/<myhost>@<KERBEROS_REALM> Nfs/<myhost>@<KERBEROS_REALM>
Shall I send you the debug log (I would rather send it to you directly as it contains sensitive information). My samba version: samba-client-libs-4.4.4-12.el7_3.x86_64 samba-common-tools-4.4.4-12.el7_3.x86_64 samba-common-libs-4.4.4-12.el7_3.x86_64 samba-client-4.4.4-12.el7_3.x86_64 samba-common-4.4.4-12.el7_3.noarch samba-libs-4.4.4-12.el7_3.x86_64
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 4:55 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote:
Thanks, "net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
Do you have 'netbios name' set in your smb.conf? This is where net should got your hostname from.
You can '-d 10' to see in more details what net is doing.
Nevertheless all the entries it currently creates should use the same keys based on the host password stored by Samba. You can check this with 'klist -k -K -e'.
bye, Sumit
Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 3:57 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might work for you because Samba can recover the keytab with the help of the stored plain text password.
With 'adcli update' you have to kinit first as a use which can update the password and then use the --login-ccache option because chances are you cannot kinit with the keytab anymore. But you should use an account which is only allowed to update the password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye, Sumit
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedor ah osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/Z6AV3THJ6J6IELOAFKJO22PX6IB73JES/
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/C6RRA57W3S3ZD7Q3CNOMRKCF5OSVTL3M/
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Summary: I used to use 'net rpc keytab vampire' which probably populated the host's SPN in AD with all that crap. After cleaning up (had to do it manually one by one) and deleting the krb5.keytab file, I successfully managed to recreate it with 'net ads keytab create' - not even need to have the 'netbios name' defined.
Many thanks to Sumit for the help provided! Ondrej
-----Original Message----- From: Ondrej Valousek [mailto:Ondrej.Valousek@s3group.com] Sent: Tuesday, July 10, 2018 9:40 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
Hi, Ok, I did not have 'netbios name' in my smb.conf (which is a simple 4-liner). I added it but it did not make any difference. In summary, it fills my keytab with entries like (as per klist -k -K):
<someones_username>/<myhost>@<KERBEROS_REALM> Or <some_hostname>/<myhost>@<KERBEROS_REALM>
Where <someones_username> is a username of someone in AD and <some_hostname> is a hostname of some machine joined to AD. This command actually runs for a very long time, generating very big keytab - I guess if I left it running (I break it via Ctrl-C after a minute or so), it would eventually populate my keytab with all accounts in AD.
Whereas I would expect this would actually do:
<MYHOST$>@<KERBEROS_REALM> + all SPNs set in AD, i.e: Host/<myhost>@<KERBEROS_REALM> Nfs/<myhost>@<KERBEROS_REALM>
Shall I send you the debug log (I would rather send it to you directly as it contains sensitive information). My samba version: samba-client-libs-4.4.4-12.el7_3.x86_64 samba-common-tools-4.4.4-12.el7_3.x86_64 samba-common-libs-4.4.4-12.el7_3.x86_64 samba-client-4.4.4-12.el7_3.x86_64 samba-common-4.4.4-12.el7_3.noarch samba-libs-4.4.4-12.el7_3.x86_64
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 4:55 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote:
Thanks, "net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
Do you have 'netbios name' set in your smb.conf? This is where net should got your hostname from.
You can '-d 10' to see in more details what net is doing.
Nevertheless all the entries it currently creates should use the same keys based on the host password stored by Samba. You can check this with 'klist -k -K -e'.
bye, Sumit
Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 3:57 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might work for you because Samba can recover the keytab with the help of the stored plain text password.
With 'adcli update' you have to kinit first as a use which can update the password and then use the --login-ccache option because chances are you cannot kinit with the keytab anymore. But you should use an account which is only allowed to update the password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye, Sumit
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedor ah osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/Z6AV3THJ6J6IELOAFKJO22PX6IB73JES/
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/C6RRA57W3S3ZD7Q3CNOMRKCF5OSVTL3M/
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Jul 10, 2018 at 11:24:12AM +0000, Ondrej Valousek wrote:
Summary: I used to use 'net rpc keytab vampire' which probably populated the host's SPN in AD with all that crap. After cleaning up (had to do it manually one by one) and deleting the krb5.keytab file, I successfully managed to recreate it with 'net ads keytab create' - not even need to have the 'netbios name' defined.
Many thanks to Sumit for the help provided!
Thank you for the feedback, that explains where the user names are coming from.
For other trying to use 'net rpc vampire' you can specify an alternative keytab file with 'net rpc vampire keytab /path/to/other/krb5.keytab'
bye, Sumit
Ondrej
-----Original Message----- From: Ondrej Valousek [mailto:Ondrej.Valousek@s3group.com] Sent: Tuesday, July 10, 2018 9:40 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
Hi, Ok, I did not have 'netbios name' in my smb.conf (which is a simple 4-liner). I added it but it did not make any difference. In summary, it fills my keytab with entries like (as per klist -k -K):
<someones_username>/<myhost>@<KERBEROS_REALM> Or <some_hostname>/<myhost>@<KERBEROS_REALM>
Where <someones_username> is a username of someone in AD and <some_hostname> is a hostname of some machine joined to AD. This command actually runs for a very long time, generating very big keytab - I guess if I left it running (I break it via Ctrl-C after a minute or so), it would eventually populate my keytab with all accounts in AD.
Whereas I would expect this would actually do:
<MYHOST$>@<KERBEROS_REALM>
- all SPNs set in AD, i.e:
Host/<myhost>@<KERBEROS_REALM> Nfs/<myhost>@<KERBEROS_REALM>
Shall I send you the debug log (I would rather send it to you directly as it contains sensitive information). My samba version: samba-client-libs-4.4.4-12.el7_3.x86_64 samba-common-tools-4.4.4-12.el7_3.x86_64 samba-common-libs-4.4.4-12.el7_3.x86_64 samba-client-4.4.4-12.el7_3.x86_64 samba-common-4.4.4-12.el7_3.noarch samba-libs-4.4.4-12.el7_3.x86_64
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 4:55 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote:
Thanks, "net ads keytab create" does work, but it populates my keytab with all accounts (user and computer) that can be found in AD - i.e. pretty dangerous. I would like to add it some parameter to only will with entries relevant for my computer - i.e. something like:
Net ads keytab create --only-obj <my_hostname>
Which would add UPN and SPN (both can be easily grabbed from AD) related to my hostname.
Do you have 'netbios name' set in your smb.conf? This is where net should got your hostname from.
You can '-d 10' to see in more details what net is doing.
Nevertheless all the entries it currently creates should use the same keys based on the host password stored by Samba. You can check this with 'klist -k -K -e'.
bye, Sumit
Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Monday, July 09, 2018 3:57 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted? I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set). Thanks,
If you used 'net ads join' to join then 'net ads keytab create' might work for you because Samba can recover the keytab with the help of the stored plain text password.
With 'adcli update' you have to kinit first as a use which can update the password and then use the --login-ccache option because chances are you cannot kinit with the keytab anymore. But you should use an account which is only allowed to update the password because otherwise adcli might try to update other attributes as well.
On AD you can use the ktpass.exe utility to export a fresh keytab.
HTH
bye, Sumit
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedor ah osted.org/message/O7COHRTHRQCYG6BKUMVWBBVTA6ZU6LAZ/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/Z6AV3THJ6J6IELOAFKJO22PX6IB73JES/
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorah osted.org/message/C6RRA57W3S3ZD7Q3CNOMRKCF5OSVTL3M/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
On Mon, Jul 9, 2018 at 8:19 AM Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted?
I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set).
The latest version of the msktutil utility (version 1.1) can do this:
https://github.com/msktutil/msktutil/
Remove the corrupted /etc/krb5.keytab file, change the password of the host machine account in AD to a temporary password, and then run:
$ msktutil --update --computer-name SHORTHOSTNAMEALLCAPS --old-account-password <temporary_password> --verbose --verbose
This should change the host machine account password in AD to a new (random) password, and then create a new /etc/krb5.keytab file with all relevant entries.
Depending on your AD configuration, you might need to use the --dont-update-dnshostname option as well.
Well, I could try that but it's not very handy - you need to go to AD and perform passwd change manually. I was hoping that "net -U administrator ads keytab create" or similar would do everything necessary in a single run - just like "net ads join".
Ondrej
-----Original Message----- From: James Ralston [mailto:ralston@pobox.com] Sent: Monday, July 09, 2018 5:34 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 9, 2018 at 8:19 AM Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Is there any way how can we recreate system keytab file of a machine joined to AD if the file has been broken/deleted?
I want to avoid doing join again as this would probably delete the existing account (with all attributes we have set).
The latest version of the msktutil utility (version 1.1) can do this:
https://github.com/msktutil/msktutil/
Remove the corrupted /etc/krb5.keytab file, change the password of the host machine account in AD to a temporary password, and then run:
$ msktutil --update --computer-name SHORTHOSTNAMEALLCAPS --old-account-password <temporary_password> --verbose --verbose
This should change the host machine account password in AD to a new (random) password, and then create a new /etc/krb5.keytab file with all relevant entries.
Depending on your AD configuration, you might need to use the --dont-update-dnshostname option as well. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org