Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1136 questions
0
votes
0 answers

Separate Apache Kafka clusters unreachable at the same time - kafka_network_socketserver_networkprocessoravgidlepercent goes to zero

We have 4 Kafka clusters: ENV1: 6 brokers and 3 zookeepers ENV2: 6 brokers and 3 zookeepers ENV3: 8 brokers (on 2 DCs, 4-4 brokers) and 9 zookeepers (on 3 DCs, 3-3-3 nodes) ENV4: 16 brokers (on 2 DCs, 8-8 brokers) and 9 zookeepers (on 3 DCs, 3-3-3…
jakabl
  • 1
0
votes
0 answers

Troubleshoot Kerberos pre-authentication failed logons

Once in a while we get a notification that an account triggered too many failed kerberos pre-authentication attempts. This event contains the username and source machine. Here is an example: Kerberos pre-authentication failed. Account Information: …
MeMario
  • 25
  • 6
0
votes
0 answers

How can I detect a Kerberos authentication to execute a command

I would like to execute a command every time a user is authenticating on the server. As for now, the only way I can "detect" a valid authentication is by looking at the logs in /var/log/auth.log. As logs are not meant to be used as triggers, I'd…
Bnr
  • 1
0
votes
1 answer

FreeIPA and Kerberos [Cannot contact any KDC for realm while getting initial credentials]

I hope this is the correct forum to ask. We run a cluster (Centos 7) using FreeIPA for account management. On Sunday the IPA server suddenly restarted and since then, users are no longer able to login via ssh and Kerberos credentials can no longer…
Yannick
  • 1
  • 2
0
votes
0 answers

Apache2 SSO mod_auth_kerb An unsupported mechanism was requested

I am using a Windows 2022 Server running the active directory (server.local) and a Debian 10 Server running Apache. When accessing the Site with Chrome or Internet Explorer it returns a 401 Status Code and the error.log has…
dwaltsch
  • 1
  • 1
0
votes
1 answer

Access kerberized ressources from cron job using a keytab

I'm on Ubuntu 22.04 which is joined to an Active Directory 2016 by sssd. I have access to several network ressources through kerberos: file shares, oracle and postgres databases. All is good. But I also want to be able access these ressources from a…
Niels Jespersen
  • 101
  • 1
0
votes
0 answers

adcli update does not save Kerberos ticket with new kvno

New Kerberos ticket of computer account is found by adcli update but not saved in keytab file. adcli update --domain=example.org -v The output "Retrieved kvno '4' for computer account" appears, but in the keytab file KVNO 3 is still the largest…
phanaz
  • 295
  • 2
  • 8
0
votes
0 answers

RHEL8 and GSSAPI Kerberos authenticate through Apache issue

I'm trying to run an apache virtualhost, on a machine currently running Red Hat Enterprise Linux release 8.5 (Ootpa), with Kerberos authentication using the new GSSAPI module (replacement of mod_auth_kerb). I also configured LDAP directives to…
Wrest
  • 11
  • 2
0
votes
0 answers

Validating credentials in PowerShell wont use Kerberos

In reality I'm debugging a C# app but since the same command is possible in PowerShell I'm trying there. I am trying to validate user accounts using the following in PowerShell: > Add-Type -AssemblyName System.DirectoryServices.AccountManagement >…
AmazingRealist
  • 1
  • 1
0
votes
1 answer

ksetup - Failed /GetEncTypeAttr : 0xc0000034

On the DC of a single-AD forest, I am logged in as the default domain administrator Administrator (in this case also the enterprise administrator). In an elevated PowerShell, I try to get the Kerberos encryption types with the following command (as…
stackprotector
  • 445
  • 1
  • 3
  • 20
0
votes
1 answer

How can I set the 'The other domain supports Kerberos AES Encryption' setting programmatically?

In the GUI (Active Directory Domains and Trusts MMC Snap-in (domain.msc)), you can set the "The other domain supports Kerberos AES Encryption" setting for a trust relationship: I am looking for a way to set this setting programmatically. I already…
stackprotector
  • 445
  • 1
  • 3
  • 20
0
votes
0 answers

When is mapUser required -

I'm not sure I understand when & why mapUser is needed. When you generate a keytab with ktpass you can map the Service Principal to a user wit mapUser. You can then kinit to the Service from an other machine using that keytab. When trying the same…
Gonzalo Etse
  • 1
0
votes
0 answers

Which Cipher Is Being Used To Encrypt NFSv4 With "sec=krb5p"?

I am using NFSv4 with sec=krb5p encryption enabled on a CentOS 7 client & server. My NFS shares mount flawlessly at boot-time, and when I query my keytab file I am able to view the list of available ciphers, as so... # klist -ke Keytab name:…
Will
  • 11
  • 4
0
votes
0 answers

Difference between krb5-user and Pam method for LInux to authentificate on Active Directories

I'm trying to understand what the difference between both this guides is: http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/ https://computingforgeeks.com/join-ubuntu-debian-to-active-directory-ad-domain/ I'm very sorry…
Gonzalo Etse
  • 1
0
votes
1 answer

NFSv4 and kerberos: access denied 50% of the time

We are trying to mount NFSv4 shares on RHEL 8 clients, with kerberos. We have a very similar setup on another environment, and it worked fine. But on this setup, it happens that we get access denied around 50% of the times we try to mount a share: #…
francisaugusto
  • 170
  • 9
1 2 3
75 76