Generally accepted is the use of HTTP_PROXY/HTTPS_PROXY environment variables to specify the use of a proxy server. Authentication can be included in this URL, e.g. HTTP_PROXY=http://user:pass@myproxy.mydomain.tld:3128/ . However, I am using Kerberos SSO to authenticate with the proxy. How do I configure that? So, suppose a Squid proxy server configuration as described here: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos . It describes how Windows clients can use proxy authentication with negotiation, but there's no information how I can configure Linux/Unix clients. For cURL, the use of --proxy-negotiate -u : does the trick, e.g.: HTTPS_PROXY=http://myproxy.mydomain.tld:3128/ curl --proxy-negotiate -u : https://www.google.com How do I tell non-cURL applications to use this mechanism? E.g. Debian/Ubuntu APT with Acquire::http::Proxy "http://myproxy.mydomain.tld:3128/ ";? I found [cntlm](http://manpages.ubuntu.com/manpages/xenial/man1/cntlm.1.html) which acts as another locally running proxy in the middle, facilitating unauthenticated connections from localhost. However, this only works with NTLM, where I need Kerberos. Would Squid be able to connect as a client using Kerberos perhaps? It seems notoriously hard to find authentication capabilities on the *outgoing* connection of proxy servers. All seem to focus on authentication features on the *listening socket* instead.

I'm reading what *Kerberos : The Definitive Guide*, the original paper from *Xerox (Needham - Schroeder)* , MIT site and Wikipedia . **I'm having some challenges putting the protocol together. Is this correct? Is there some other documentation on it?** I tried to follow the Xerox Articles "Protocol 1" closer as they seem to show the **protocol** in more detail. I omit the PKE, case (pkinit) for now that will be another post. **Kerberos 5 : Needham - Schroeder Protocol** A = *Client Principal* A, B = *Server Principal* B, AS = *Authentication Server*, I = *time*, A->B : {G, H, I} = *A sends message to B with contents {...}*. {B}^{KA} = *Key A encrypts {B}*. CK_AB = *conversations session key between A and B*. Requesting a ticket to another service, start with TGS Ticket Granting Server. Client Authentication to AS: 1. Initial request when client has no tickets or tickets are expired, B = "krbtgt/REALM@REALM" client principal (Ticket Granting Server TGS), use *kinit* sends to KDC. 2. **A -> AS : {A, B, I_a, I_max}** : AS_REQ 3. AS verifies that B principal exists and time stamp I is close to local time. Grants ticket or throws error In AS_RESP. Assume no error here. 4. Authentication server responds with timestamp I, B/TGS Principal, Session Key CK_AB for A and B, Ticket Granting Ticket (TGT) encrypted with KB_KTGS. 5. **AS -> A : {I_a, I_max, B, CK_AB, {CK_AB, A, I_a, I_max}^{KB}}^{KA}** : AS_REP 6. Ticket Granting Ticket TGT = **{CK_AB, A, I_a, I_max}^{KB}**, and **CK, I** can be stored in client's local *credential cache*. See below on caching protocol change. 7. Make request to Ticket Granting Server TGS using the *authenticator* {CK_AB, A, I_a, I_max}^{KB}. 8. **A->B : {CK_AB, A, I_a, I_max}^{KB}** : TGS_REQA 9. Now continue with *Reply Attack Prevention*. This is as documented by *Xerox paper*: 10. **B->A : {I_b}^{CK_AB}** : TGS_REQB : Where B/TGS and I_b is the ticket lifetime 11. **A->B : {I_b - 1}^{CK_AB}** : TGS_REQB This is as documented by *The Definitive Guide*: 10. **A->B : {1_b}^{CK_AB}** : TGS_REQB 11. **B->A : {1_b + 1}^{CK_AB}** : TGS_REQB Client A Service Authorization request to TGS to access service from C: 12. **A->B: {A, C, I_a, {CK_AB, A, I_a, I_max}^{KB}}^CK_AB** : TGS_REQC 13. TGS/B creates new session key for A and C to communicate CK_AC is created and sent in reply. 14. **B->A: {CK_AC, I_c, {CK_AC, A, A_IP, I}^{KC}}^CK_AB** : TGS_REP Client A Service Request to C: 15. Client has session key **{CK_AC, I_c, {CK_AC, A, I}^{KC}}^CK_AB** 16. Client sends Authenticator to Application Server 17. **A->C: {A, C, I_a, {CK_AC, A, I}^{KC}}^CK_AC** : AP_REQ 18. Server provides requested services to client. : AP_REP Steps if CK is kept in client credential cache, reduces protocol steps to 3. Reduces compute on AS to generate {I_a, B, CK, {CK,A}^KB}^KA and client to decrypt and network traffic: 1. **A->B : {CK_AB, A}^KB, {I_A2}^CK_AB** 2. **B->A : {I_A2 - 1, I_B}^CK_AB** 3. **A->B : {I_B - 1}^CK_AB**

I have an issue when I try to join my domain. I am able to create the kerberos ticket successfully. root@debian:~# kinit Administrateur@ASP.DOMAIN Password for Administrateur@ASP.DOMAIN: root@debian:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrateur@ASP.DOMAIN Valid starting Expires Service principal 26/04/2016 18:20:18 27/04/2016 04:20:18 krbtgt/ASP.DOMAIN@ASP.DOMAIN renew until 27/04/2016 18:20:11 and when I try to join the domain : root@debian:~# net ads join -k Failed to join domain: failed to lookup DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. my krb5.conf is: [libdefaults] default_realm = ASP.DOMAIN # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] ASP.DOMAIN = { kdc = asp.domain admin_server = server.domain default_domain = DOMAIN } [domain_realm] .asp.domain = ASP.DOMAIN asp.domain = ASP.DOMAIN My smb.conf : [global] security = ADS realm = ASP.DOMAIN password server = server.domain workgroup = asp.domain winbind separator = / idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes winbind use default domain = yes domain master = no local master = no preferred master = no os level = 0 I have no idea: there is no drop on my firewall. The ticket is ok. I've tried with 3 Domain Controlers. PS : Domain is a variable EDIT : I've tried to do it with samba-tool too root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run machinepass=machinepass) EDIT 2 : Join is ok ? But wbinfo -u is not ok root@debian:~# net ads join -U Administrateur Enter Administrateur's password: Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL root@debian:~# net ads testjoin Join is OK root@debian:~# wbinfo -u could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! Error looking up domain users EDIT 3 : EDIT 4 : root@debian:~# service winbind status ● winbind.service - LSB: start Winbind daemon Loaded: loaded (/etc/init.d/winbind) Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS) avril 27 16:16:00 debian winbindd: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd] avril 27 16:16:00 debian winbindd: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca] avril 27 16:16:00 debian winbindd: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7] avril 27 16:16:00 debian winbindd: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d] avril 27 16:16:00 debian winbindd: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c] avril 27 16:16:00 debian winbindd: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45] avril 27 16:16:00 debian winbindd: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318] avril 27 16:16:00 debian winbindd: [2016/04/27 16:16:00.971185, 0] ../source3/lib/dumpcore.c:318(dump_core) avril 27 16:16:00 debian winbindd: dumping core in /var/log/samba/cores/winbindd avril 27 16:16:00 debian winbindd:

I have a NFS4 share running with krb5p. I have no problems accessing it from CentOS clients, all that is required is: yum install krb5-workstation setup krb5 (edit krb5.conf, setup keytab) systemctl enable nfs-secure.service && systemctl start nfs-secure.service systemctl enable nfs-client.target && systemctl start nfs-client.target mkdir /mnt/x Add the following to fstab: server.example.com:/srv/share/subdir /mnt/x nfs4 defaults,sec=krb5p,noexec,nosuid,_netdev,auto 0 0 This works great on CentOS, I've setup a dozen client hosts so far that way. However on Ubuntu, I get : mount.nfs4: an incorrect mount option was specified I think the Ubuntu error is to do with nfs-secure.service however there seems to be no equivalent on Ubuntu that gets installed with NFS client ? (I am using Ubuntu 16.04.5 LTS). ***UPDATE:*** I have tried: systemctl enable rpc-gssd.service && systemctl start rpc-gssd.service That launches OK: # systemctl status rpc-gssd.service ● rpc-gssd.service - RPC security service for NFS client and server Loaded: loaded (/lib/systemd/system/rpc-gssd.service; static; vendor preset: enabled) Active: active (running) since Thu 2018-10-04 16:49:40 BST; 6min ago Process: 51689 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS) Main PID: 51691 (rpc.gssd) Tasks: 1 Memory: 516.0K CPU: 13ms CGroup: /system.slice/rpc-gssd.service └─51691 /usr/sbin/rpc.gssd But Ubuntu just hangs when trying to mount ? # mount -v -t nfs4 -o defaults,sec=krb5p,noexec,nosuid,_netdev,auto server.example.com:/srv/dir/example /mnt/example mount.nfs4: timeout set for Thu Oct 4 16:54:40 2018 mount.nfs4: trying text-based options 'sec=krb5p,addr=10.10.10.10,clientaddr=10.10.10.9' # NOTHING ELSE HAPPENS.....

I am curious if it is possible to use samba shares without using winbind. In our current environment we are using SSSD, Kerberos, and Samba to complete the required tasks such as joining the windows domain and setting up active directory. Since we are using SSSD instead of winbind how can we setup a samba share for the Windows machines to access using the current implementation? I can share some of the configuration as necessary. Using RedHat Enterprise 6 and Samba v 3.6.9

I'm trying to programmatically change a user's password using chpasswd, but I'm getting the following error:

/sbin/chpasswd "
chpasswd: (user 0s22xmgW) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user 0s22xmgW) password not changed
root@phantom:/home/ealfonso#

After trying to enhance pam debug logging by appending "debug" to most lines in /etc/pam.d/common-auth and /etc/pam.d/common-password, and checking /var/auth.log, I see the following logs:

2025-04-23T12:37:33.676089-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: entry (prelim)
2025-04-23T12:37:33.676432-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) attempting authentication as 0s22xmgW@example.com for kadmin/changepw
2025-04-23T12:37:34.701043-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) krb5_get_init_creds_password: Client '0s22xmgW@example.com' not found in Kerberos database
2025-04-23T12:37:34.701246-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: exit (failure)
2025-04-23T12:37:34.701331-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:34.701762-04:00 phantom chpasswd: gkr-pam: invalid option: debug
2025-04-23T12:37:34.701966-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: entry (update)
2025-04-23T12:37:34.702065-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) attempting authentication as 0s22xmgW@MY_REALM for kadmin/changepw
2025-04-23T12:37:35.719315-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) krb5_get_init_creds_password: Client not found in Kerberos database
2025-04-23T12:37:35.719842-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: exit (failure)
2025-04-23T12:37:35.719923-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:35.719980-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): password - new password not obtained

I do use kerberos authentication for AFS and I see some kerberos-related logs, but in this case I'm only trying to change the local unix password of the local unix user. The last two lines in the log show that chpasswd was able to obtain the user, but for some unknown reason, not the password:

2025-04-23T12:37:35.719923-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:35.719980-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): password - new password not obtained

How can I get the reason behind the new password not obtained error and further debug this? I did try using strace and I see some kerberos-auth-related DNS and network requests, but again I'm not sure whether those are relevant to the failure to set the local unix password. For detail, below is the strace log : I think I do have the proper permissions on /etc/password and /etc/shadow:

ls -l /etc/shadow /etc/passwd
-rw-r--r-- 1 root root   2474 Apr 23 12:30 /etc/passwd
-rw-r----- 1 root shadow 1371 Apr 23 12:30 /etc/shadow

# grep -i password /etc/pam.d/common*:

# grep -i password /etc/pam.d/common*
/etc/pam.d/common-password:# /etc/pam.d/common-password - password-related modules common to all services
/etc/pam.d/common-password:# used to change user passwords.  The default is pam_unix.
/etc/pam.d/common-password:#hashed passwords using the yescrypt algorithm, introduced in Debian
/etc/pam.d/common-password:#used the option "sha512"; if a shadow password hash will be shared
/etc/pam.d/common-password:password     [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 debug
/etc/pam.d/common-password:password     [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt debug
/etc/pam.d/common-password:password     requisite                       pam_deny.so debug
/etc/pam.d/common-password:password     required                        pam_permit.so debug
/etc/pam.d/common-password:password     optional        pam_gnome_keyring.so debug
/etc/pam.d/common-password:password     optional        pam_ecryptfs.so debug

# cat /etc/nsswitch.conf:

# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the glibc-doc-reference' and info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files systemd
gshadow:        files systemd

hosts:          files mdns4_minimal dns [NOTFOUND=return] dns mymachines myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

$ grep -P "pam_unix|pam_krb" -R /etc/pam.d

common-account :17:account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
common-account :25:account	required			pam_krb5.so minimum_uid=1000
common-auth :17:auth	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000 debug
common-auth :18:auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass debug
common-session-noninteractive :24:session	optional			pam_krb5.so minimum_uid=1000
common-session-noninteractive :25:session	required	pam_unix.so 
runuser :5:session		required	pam_unix.so
login :8:# to disable any delay, you should add the nodelay option to pam_unix)
common-password :6:# used to change user passwords.  The default is pam_unix.
common-password :8:# Explanation of pam_unix options:
common-password :15:#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
common-password :25:password	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000 debug
common-password :26:password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt debug
common-session :23:session	optional			pam_krb5.so minimum_uid=1000
common-session :24:session	required	pam_unix.so

On Kerberos with have 3 "servers" kdc is the key distribution center, as name said provide "tickets", kadmin is for admin the server (add principals, keytabs, etc.), and finally kpasswdd is for permit the user to change his password from remote (using passwd+krb5_pam module). I have configured a mit krb5 server, works all: keytab, principals, kinit, etc..the problem is when I change password from a client give me error, probably for the lack of kpasswd daemon dnf provides */kpasswdd Last metadata expiration check: 1:09:14 ago on Thu 13 Mar 2025 07:39:41 AM CET. heimdal-server-7.8.0-5.el9.x86_64 : Heimdal kerberos server Repo : epel Matched from: Filename : /usr/libexec/kpasswdd Any idea? This is the error as you can see authentication login works fine, but give error "cannot contact kdc" but I can resolve it using dig and nslookup debian login: pino Password: Linux debian 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Creazione della directory «/home/pino». pino@debian:~$ passwd Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: Cannot contact any KDC for requested realm password change failed: Invalid credentials passwd: Errore manipolazione token di autenticazione passwd: password unchanged kdc seems can be resolved (otherwise even login will fail) nslookup -type=srv _kerberos._tcp.BLU.PRIV Server: 192.168.201.1 Address: 192.168.201.1#53 Non-authoritative answer: _kerberos._tcp.BLU.PRIV service = 0 100 88 ldap1.blu.priv. Authoritative answers can be found from: Even kpasswd fail kpasswd Password for pino@BLU.PRIV: Enter new password: Enter it again: kpasswd: Cannot contact any KDC for requested realm changing password

This is my pam.conf for Slackware 15.0 #%PAM-1.0 # # Most of these PAM modules have man pages included, like # pam_unix(8) for example. # ################## # Authentication # ################## # auth required pam_env.so auth optional pam_group.so auth sufficient pam_krb5.so use_first_pass auth required pam_unix.so likeauth nullok -auth optional pam_gnome_keyring.so ################## # Account checks # ################## # # Only root can login if file /etc/nologin exists. # This is equivalent to NOLOGINS_FILE on login.defs # account required pam_nologin.so # # Enable restrictions by time, specified in /etc/security/time.conf # This is equivalent to PORTTIME_CHECKS_ENAB on login.defs # account required pam_time.so account sufficient pam_krb5.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 100 quiet account required pam_permit.so ############################# # Password quality checking # ############################# # # Please note that unless cracklib and libpwquality are installed, setting # passwords will not work unless the lines for the pam_pwquality module are # commented out and the line for the traditional no-quality-check password # changing is uncommented. # # The pam_pwquality module will check the quality of a user-supplied password # against the dictionary installed for cracklib. Other tests are (or may be) # done as well - see: man pam_pwquality # # Default password quality checking with pam_pwquality. If you don't want # password quality checking, comment out these two lines and uncomment the # traditional password handling line below. password requisite pam_pwquality.so minlen=6 retry=3 password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok password sufficient pam_krb5.so use_authtok | # Traditional password handling without pam_pwquality password checking. # Commented out by default to use the two pam_pwquality lines above. #password sufficient pam_unix.so nullok sha512 shadow minlen=6 # ATTENTION: always keep this line for pam_deny.so: password required pam_deny.so ######################### # Session Configuration # ######################### # # This applies the limits specified in /etc/security/limits.conf # session optional pam_krb5.so session optional pam_mkhomedir.so session required pam_limits.so session required pam_unix.so #session required pam_lastlog.so showfailed #session optional pam_mail.so standard -session optional pam_gnome_keyring.so auto_start I want user to authenticate to kerberos/ldap (ldap for info, kerberos for password) With this pam configuration I obtain a strange result: local unix users can authenticate..and is OK remote ldap users can authenticate..and is OK root cannot authenticate! what I miss?

When I issue a command to change my password like this: sudo passwd huahsin The system prompt me: Current Kerberos password: I don't know what I have done to the system configuration, how could I eliminate this Kerberos thing when I change my password?

I have a working Kerberos authentication tested with kinit on Debian Buster. Now I try to use it with [PAM for login with Kerberos](https://wiki.debian.org/LDAP/Kerberos#PAM) and installed libpam-krb5 and configured it with pam-auth-update. But the documentation in /usr/share/doc/libpam-krb5/README.Debian.gz noted: >This configuration will still require that users be listed in /etc/shadow, since otherwise the pam_unix account module will fail. Normally, accounts that should only use Kerberos authentication should be created with adduser --disabled-password. If you don't want the accounts to be listed in /etc/shadow at all (if, for example, you're using some other source than files for your nsswitch configuration), you can mark the pam_krb5 account module as sufficient rather than required so that pam_unix isn't run. This will mean that you won't be able to disable accounts locally. I don't want the accounts to be listed locally in /etc/shadow again in addition to the Kerberos Database because it is redundant work for me. I tried a login with the default setup and get this failure: Debian GNU/Linux 10 deb10-base ttyS0 deb10-base login: ingo Password: Authentication failure In journalctl I find to this: Oct 06 15:33:08 deb10-base login: pam_krb5(login:auth): user ingo authenticated as ingo@EXAMPLE.COM Oct 06 15:33:08 deb10-base login: pam_unix(login:account): could not identify user (from getpwnam(ingo)) Oct 06 15:33:08 deb10-base login: Authentication failure That is exactly expected from the quoted documentation above. But I don't understand the comment where and what to modify the PAM configuration files. The current configuration files does not match the documentation. What entry in what PAM configuration file I have to modify from **required** to **sufficient**? Are there maybe other things to do? If possible I would like to preserve the pam-auth-update config sections. **Update:** Forgot to mention that I started pam-auth-update and checked the options: [*] Kerberos authentication [*] Unix authentication [*] Create home directory on login I tried to uncheck "*Unix authentication*" but that makes the login unusable. I wasn't able to login again, even not as root. I had to recover from a snapshot.

I have set up some RHEL9 servers to authenticate through the AD for the domain EXAMPLE.XYZ; this is done via Ansible playbooks, and so far all works well. (It's the same setup as this previous question: https://unix.stackexchange.com/questions/786569/joining-domain-via-ansible-returns-error-already-joined-to-this-domain-while-v) However, every few minutes, on each host (let's say on myhost42) there are bursts of error messages, several times per second, in /var/log/messages: Feb 19 15:23:32 myhost42 ldap_child: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'MYHOST42$@EXAMPLE.XYZ' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. This is the /etc/krb5.conf file: includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true default_realm = EXAMPLE.XYZ default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 [realms] [domain_realm] What can be done to troubleshoot the issue? --- EDIT #1: Based on a comment below and my researches, it might be due to a missing association between the AD domain and the Kerberos realm and/or missing entries in the Kerberos keytab.
However, I'm using the same configuration as another server farm, which works correctly.
This is the output of klist -kt /etc/krb5.keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ

I was asked to integrate some new Ubuntu 22 boxes into an existing Kerberos instrastructure. I found several references for installing a kerberos client which all start with:

sudo apt-get install krb5-user

Unfortinately this results in:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package krb5-user is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'krb5-user' has no installation candidate

I do not have a lot of experience with Ubuntu so maybe this is normal. Is Kerberos not supported on Ubuntu? If it is supported, what do I do to fix this?

Hello linux newbie here. **What I am trying to achieve:** to be able to login to Linux machine with Active Directory credentials from trusted domain. I have the following setup: +----------------+ +---------------+ +-----------+ | Forest B | | Forest A | | User in | | | one-way trust | | | domain B +----------+ Domain B +<--------------+ Domain A | | | | b.net | | a.net | +-----------+ | | | | | | | | +----------------+ +-------+-------+ | | | | | +-------+-------+ | | | Ubuntu 16.04 | | samba 4.7.12 | | | | | | | +---------------+ I have successfully joined my Ubuntu 16.04 to Active Directory domain A with samba winbind, but I am unable to login to the machine with user account that exists in domain B. Domain A and domain B are Active Directory domains and they have one-way trust so that domain A trusts domain B, but domain B does not trust domain A. Here are my smb.conf, krb5.conf and nsswitch.conf /etc/samba/smb.conf [global] workgroup = A security = ADS realm = A.NET encrypt passwords = yes idmap config *:range = 16777216-33554431 allow trusted domains = yes winbind trusted domains only = no kerberos method = secrets and keytab winbind refresh tickets = yes template shell = /bin/bash server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no /etc/krb5.conf [libdefaults] default_realm = A.NET dns_lookup_kdc = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } A.NET = { admin_server = dc.a.net kdc = dc.a.net } B.NET = { admin_server = dc.b.net kdc = dc.b.net } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA a.net = A.NET .a.net = A.NET b.net = B.NET .b.net = .B.NET [login] krb4_convert = true krb4_get_tickets = false /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Most of the modification are based on these instructions, though I added the domain b to krb5.conf: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/7-15-ltsr/installation-overview/ubuntu.html I have tried the following wbinfo commands: **wbinfo --online-status** shows domain A online, but domain B offline. **wbinfo -n B\\administrator** returns a SID and wbinfo -s SID returns the name **wbinfo -m** BUILTIN MYLINUX A B **wbinfo -K B\\user%password** returns the following error message: wbcLogonUser(B\user): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers are currently available to service the logon request. Could not authenticate user [B\user%password] with Kerberos (ccache: FILE) I would really appreciate if someone could help me to solve this. How would I start to troubleshoot this issue?

I have a Solaris server, it use ldap for user authentication and kerberos for password. The user can change his password, I have only problem with password aging for example: passwd -r ldap -n 12 giovanni Enter giovanni's password: Permission denied This is the pam.conf for passwd passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_dhkeys.so.1 passwd auth sufficient pam_krb5.so.1 passwd auth required pam_unix_cred.so.1 passwd auth required pam_unix_auth.so.1 I know on kerberos is possible to use policies, but if I want to set password aging for user? I had to set a policy only for this user? No way to use passwd command?

I'm studying some kerberos today, making test with ktadd I found a "mysterious" -glob option. What does it mean -glob? I see.. Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...] -k is the keytab where to extract keys -q is quiet -e is the ciphers/keysaltlist to use -glob..global options?

I want to avoid old and weak ciphers on my Solaris kdc, using only AES. I have edited kdc.conf master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal those are lines for krb5.conf default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 Restart kdc and kadmin and.. kadmin -p kws/admin -wmypassword Authenticating as principal kws/admin with password. kadmin: addprinc NFS/debian.myserv.priv@MYSERV.PRIV ktadd -k nfs.keytab -e aes256-cts-hmac-sha1-96 NFS/debian.myserv.priv@MYSERV.PRIV ktadd: Invalid argument while parsing keysalts aes256-cts-hmac-sha1-96 Trying default.. ktadd -k nfs.keytab NFS/debian.myserv.priv@MYSERV.PRIV Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:nfs.keytab. Entry for principal NFS/debian.myserv.priv@MYSERV.PRIV with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:nfs.keytab. Why generate the des keys? Is possible to force AES cipher instead? EDIT: I found a way to create only aes256keys ktadd -e aes256-cts:normal -k nfs.keytab NFS/debian.myserv.priv@MYSERV.PRIV The question still stay to found a way to force/generate only aes256 keys.

I'm trying to edit /etc/krb5.conf with [crudini](https://github.com/pixelb/crudini) . I tried this :

$ sudo crudini --set /etc/krb5.conf libdefaults renew_lifetime 7d
Source contains parsing errors: ''

$ echo $?
1
$

I expect this :

$ sudo crudini --set /etc/krb5.conf libdefaults renew_lifetime 7d
$ crudini --get /etc/krb5.conf libdefaults renew_lifetime
7d
$

Our security tooling is flagging potential vulnerabilities in krb5, for the sake of this question lets just assume Kerberos is not a value add for me. We do not use Kerberos for authentication to this server, everything is handled through Amazon System Manager (SSM), which uses SSH keys to authenticate. As a result I thought the simple solution would be to disable Kerberos based authentication. I have thought of two potential ways to do this so far, but wanted to check that I didn't break anything: - In Ubuntu Kerberos auth should be handled by the pam-auth-update utility. So removing pam-auth-update should delete Kerberos. However, it might also delete other important things? - The other option I thought of was to go into etc/services and delete krb5kdc/kpropd/etc. entries. Not sure though if this will leave pieces of Kerberos lying around and I dont have a full list of services that Kerberos uses. Then finally, should I be doing this at all? Is this a bad idea, if I know I do not want to use Kerberos auth ever on this server?

Let me start with a short description: Target host: RHEL7, kernel 3.10, Python2.7 On the target host, there is a perl script (run by a particular user) which, among others, does stuff like: kdestroy -A kinit user@domain -kt path_to_keytab While on the host I can perform (as the 'scriptrunner' user) all commands without error. Yet, while using ansible I get 'kinit: invalid UID in persistent keyring name while getting default ccache' error. The playbook is run from AnsibleTower with credentials using 'sudo' escalation mode and playbook itself uses become: yes and become_user: scriptrunner so the user is the same when running the commands from terminal. I have tried running commands with command module, just command: /bin/kdestory -A and command /bin/kinit someuser@domain -kt path_to_keytab. I have also tried running the whole script as: command: /bin/bash -c -l thescript.sh. the result is always the same. Why so? Any Ideas?

I wish to rsync a directory structure from one remote server to another - using an Ansible playbook.yml. During the play, the ansible shell module's command for rsync fails. I know the reason - it's using a default vendor ssh executable as the backbone of the rsync command. It needs to use a kerberos version of ssh - which is also on the remote system. If I manually log onto remoteA, and execute the exact same rsync command given in the absible script (with the -e /path/to/Kerberos/ssh), it works fine. But it looks like Ansible does not actually honor the -e flag for declaring what ssh to use and therefore generates a Kerberos authentication error. Is there some way to get it use the correct ssh version with the rsync executable? This is exactly what the -e /desired/version/of/ssh was declaring - but, again, ansible seems to not be able to use that for some reason.

- name:  "rsync base_directory remoteA  ==> remoteB"
    shell:
      cmd: 'rsync -av -e /path/to/kerberos/version/ssh  base_directory username@remoteB.xxx.xxx.com:/path/to/desired/location/'
      chdir: '/path/to/remtoteA/parentDir/for/base_directory'

UPDATE: (no solution yet) let me ask the same question in a different way: How can I force Ansible to use a particular path to ssh as opposed to the first one it finds from the system environment ORIGINAL path? - I have tried the user .bashrc $PATH to find help find the correct ssh executable, but it has no effect on the ansible play - only for me when I log in. - I am logging in via a regular SSH session, as the same user of the ansible playbook. Again, in regular ssh sessions, the rsync command works; the syntax of the command is exactly the same in the playbook where it fails. - extra info: There are 8 servers in our company. I am switching this play to run on a different server from the previous, (where all things work fine, as that server has the kerberized ssh in the default path) only because that server will be decommissioned. Still confused why the newer server is not configured the same, but it's not. And there seems to be nothing I have found to get the rsync command to find (and use) the kerberized version of ssh over the vendor non-keberized version.