[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Tue Mar 16 16:22:21 GMT 2004

Hi Markus,

	What are you actually trying to achieve? Why do you want to automatically obtain a kerberos ticket?
I may be wrong, but I wonder if you are overcomplicating things for yourself.
ktpass is indeed a tool for creating keytabs for use on non-windows systems such as Linux, but if you
are using Samba 3.0 you should join the Linux server to the domain using Samba specific commands, ie.

# net ads join -U Administrator%password

This creates a computer account in the AD and negates the need to mess around manually with keytabs.
You can check this by looking in your AD domain with adsiedit, if you look at the computer object created
you can see it has setup serviceprincipal for "host/hostname at REALM.COM" etc.
You'd use ktpass if you wanted to Kerberise something like NFS which has no specific support for AD.
Unless you need access from one Samba server to another you don't need to automatically get a ticket for
your Samba server to work, Samba will maintain domain trusts for clients connecting to the Samba server 
on its own.
If this doesn't help or I've misunderstood your requirements post some more details of what you
need to achieve,

		thanks Andy.

Hello List,
I am (unsuccessfully) trying to automatically get a valid kerberos 
ticket for my linux box. I have - in a test environment:

 - a windows 2000 server with Active directory and DNS properly set up.
 - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal 0.6.-67.
 - I am able to join the domain and get a valid ticket through kinit, if 
I enter the Administrator's password or the userdata with password from 
some account in the Administrator group. 
 - Filetransfer and Name services and winbind work flawlessly, as long 
as there is a valid ticket.

I have googled and read in mailing lists, and became good advice (thanks 
chris!) on how to get a ticket wih a cronjob and a keytab file: 

- On the ADS-KDC I created a user, to whose account the new kerberos 
principal is to be mapped, 
- which I did by typing "ktpass -princ host/hostname at REALM -mapuser 
username -pass password -out keyfile", like microsoft explains on their 
techinfo sites. 
- Then I transferred the keyfile to the linux box and tried to use it 
for kinit with the -k and -t switches.
BUT: All I got is: Additional pre-authentication required.
(which seems to be the least explanatory of all samba errors...)

Here follow my tries:
linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab
kinit: krb5_get_init_creds: Additional pre-authentication required
linux-router:~ # ktutil -k /etc/krb5.keytab list

Vno  Type         Principal
  1  des-cbc-crc  host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL
linux-router:~ # kinit -k host/linux-router.linux.xxxxxx.local
kinit: krb5_get_init_creds: Additional pre-authentication required
#linux-router:~ # kinit host/linux-router.linux.ermer.local
host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL's Password:
linux-router:~ #

The funny thing is: 
- I can get a ticket with any valid useraccount in the Administrator 
- the User Mapping on the windows box seems to work, because I enter the 
user's password  with kinit host/..... and i get a ticket.

Who can help?
Where is my mistake?
Thanks a lot in advance
Mit freundlichen Grüßen
Markus Feilner
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner at feilner-it.net
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list