[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required

Markus Feilner lists at feilner-it.net
Tue Mar 16 14:59:27 GMT 2004 

Hello List,
I am (unsuccessfully) trying to automatically get a valid kerberos 
ticket for my linux box. I have - in a test environment:

 - a windows 2000 server with Active directory and DNS properly set up.
 - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal 0.6.-67.
 - I am able to join the domain and get a valid ticket through kinit, if 
I enter the Administrator's password or the userdata with password from 
some account in the Administrator group. 
 - Filetransfer and Name services and winbind work flawlessly, as long 
as there is a valid ticket.

I have googled and read in mailing lists, and became good advice (thanks 
chris!) on how to get a ticket wih a cronjob and a keytab file: 

- On the ADS-KDC I created a user, to whose account the new kerberos 
principal is to be mapped, 
- which I did by typing "ktpass -princ host/hostname at REALM -mapuser 
username -pass password -out keyfile", like microsoft explains on their 
techinfo sites. 
- Then I transferred the keyfile to the linux box and tried to use it 
for kinit with the -k and -t switches.
 
BUT: All I got is: Additional pre-authentication required.
(which seems to be the least explanatory of all samba errors...)

Here follow my tries:
--------------SCHNIPP------------------------
linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab
kinit: krb5_get_init_creds: Additional pre-authentication required
linux-router:~ # ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type         Principal
  1  des-cbc-crc  host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL
linux-router:~ # kinit -k host/linux-router.linux.xxxxxx.local
kinit: krb5_get_init_creds: Additional pre-authentication required
#linux-router:~ # kinit host/linux-router.linux.ermer.local
host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL's Password:
linux-router:~ #
-------------SCNHAPP--------------------------

The funny thing is: 
- I can get a ticket with any valid useraccount in the Administrator 
group.
- the User Mapping on the windows box seems to work, because I enter the 
user's password  with kinit host/..... and i get a ticket.

Who can help?
Where is my mistake?
Thanks a lot in advance
-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner at feilner-it.net

More information about the samba mailing list