[Windows] How to flush kerberos tickets

有時為了存取Windows 或 NetApp 之類機器檔案伺服器,總是遇到驗證不過。老是叫使用者重開機或登出再登入這有點老套。或是使用者有耐心叫他等個九個小時等票證過期 .(Default kerberos tickets age 9 hours)

換個方式若能像ipconfig /release  或 ipconfig /flushdns 清除快取之類總是時效好一些。

CIFS / SMB在存取檔案伺服器與Windows Active Directory 驗證時是用kerberos。微軟在Vista後的版本都有內建清除kerberos tickets.

[after vistat os]

step01. cmd.exe

step02.klist  // check current 快取的票證有幾個 ; 再者用 klist tgt (票證授予票(ticket-granting ticket))查看詳細票證相關資訊

step03.klist purge

呼叫者登入識別碼: (0x0,0x3E7)
klist -li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

 

[Window XP & Windows Server 2003]

step01. download Windows Server 2003 Resource Kit Tools

step02. extract or perform ‘rktools.exe’

step03. klist.exe tickets // check current 快取的票證有幾個

step04. klist.exe purge

*補充*
啟用kerberos log
step01. regedit.exe

step02.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

step03.
Entry: LogLevel
Type: REG_DWORD
Default Value: 0 改為 1 (0x1)


Reference :

  1. Microsoft – Kerberos protocol registry entries and KDC configuration keys in Windows
  2. Microsoft – Kerberos Authentication Tools and Settings (事件代碼參考)
  3. Web Debug – Kerberos认证问题的调试试验
  4. Norman Bauer – How to purge Kerberos tickets of the system account
  5. zhulinu的专栏 – Windows登录日志详解
  6. 从kinit到kerberos安全机制
  7. MIRU-CH – How to update group membership without logoff / logon /restart

[NetApp] 7-mode 8.2.4 disable SMB 2.1

確認目前SMB2.1是否開啟

> priv set diag; printflag smb_enable_2_1 (0=disabled, 1=enabled)

 

關閉SMB2.1

>priv set diag; setflag smb_enable_2_1 0; priv set

 

省事開關機都自動帶起的話就寫入/etc/rc

wrfile -a /etc/rc “priv set diag; setflag smb_enable_2_1 0; priv set"

PS:也適合8.1.1 / 8.1.3 / 8.1.4

 

Reference:

1. How to upgrade from Data ONTAP 8.2.1 to Data ONTAP 8.2.2 while keeping SMB 2.1 enabled (NetApp Article Number:000028057 )

2. Tracking down SMB 2.1 support in 8.1.x 7-Mode

 

 

 

[NetApp] 7-mode disable SMB 1.0

Beginning with Data ONTAP 8.2.5, you can disable the storage system’s SMB 1.0 server and client capabilities, if desired. It is enabled by default.

cifs control set smb1.enable off  // Server capability

cifs control set smb1.client.enable off // Client capability

 

Reference : NetApp Disable or Reenable SMB 1.0 // http://nt-ap.com/2qkRu5l