[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required

Tue Mar 16 17:27:41 GMT 2004

Am Dienstag, 16. März 2004 17:22 schrieb ww m-pubsyssamba:
> Hi Markus,
>
> 	What are you actually trying to achieve? Why do you want to
> automatically obtain a kerberos ticket? I may be wrong, but I wonder
> if you are overcomplicating things for yourself. ktpass is indeed a
> tool for creating keytabs for use on non-windows systems such as
> Linux, but if you are using Samba 3.0 you should join the Linux
> server to the domain using Samba specific commands, ie.
>

I have e.g. squid-winbind-ntlm authentication working, but the samba 
client only gets new data from the ADS, if it has a valid ticket. 
Otherwise only old auth data is used (from the winbind cache.)
As long as there is a valid ticket, changes on the user/group data in 
ADS are almost instanteanously also active on the samba server.
This is used for permitting access to the internet only for members of a 
special ADS group.
Changes to the members of this group should automagically be known to 
the samba server without interaction by an admin. It works that way 
with samba and an NT-compatible ADS, but that makes it insecure.

> # net ads join -U Administrator%password
>
> This creates a computer account in the AD and negates the need to
> mess around manually with keytabs. You can check this by looking in
> your AD domain with adsiedit, if you look at the computer object
> created you can see it has setup serviceprincipal for

Yes. But when a ticket is no longer valid, only old user data are known 
to winbind. In order to always have a valid ticket I need:
-  a ticket granting ticket and a cronjob that does the renewal.
-  Or an account that works with a keytab file and does not require a 
password therefore.

Neither does work.
(I even set up a testbed net with an "virgin" ADS Server)

> "host/hostname at REALM.COM" etc. You'd use ktpass if you wanted to
> Kerberise something like NFS which has no specific support for AD.
> Unless you need access from one Samba server to another you don't
> need to automatically get a ticket for your Samba server to work,
> Samba will maintain domain trusts for clients connecting to the Samba
> server on its own.
> If this doesn't help or I've misunderstood your requirements post
> some more details of what you need to achieve,
>
> 		thanks Andy.
>

Thanks a lot, Andy,
and tell me if I got something wrong... 
But try wbinfo -t both with a valid ticket and without. Doesn't seem to 
make a difference, unless you change the userdata on the ADS server...
Any ideas?
I would be so happy if I were wrong...

>
>
> Hello List,
> I am (unsuccessfully) trying to automatically get a valid kerberos
> ticket for my linux box. I have - in a test environment:
>
>  - a windows 2000 server with Active directory and DNS properly set
> up. - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal
> 0.6.-67. - I am able to join the domain and get a valid ticket
> through kinit, if I enter the Administrator's password or the
> userdata with password from some account in the Administrator group.
>  - Filetransfer and Name services and winbind work flawlessly, as
> long as there is a valid ticket.
>
> I have googled and read in mailing lists, and became good advice
> (thanks chris!) on how to get a ticket wih a cronjob and a keytab
> file:
>
> - On the ADS-KDC I created a user, to whose account the new kerberos
> principal is to be mapped,
> - which I did by typing "ktpass -princ host/hostname at REALM -mapuser
> username -pass password -out keyfile", like microsoft explains on
> their techinfo sites.
> - Then I transferred the keyfile to the linux box and tried to use it
> for kinit with the -k and -t switches.
>
> BUT: All I got is: Additional pre-authentication required.
> (which seems to be the least explanatory of all samba errors...)
>
> Here follow my tries:
> --------------SCHNIPP------------------------
> linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab
> kinit: krb5_get_init_creds: Additional pre-authentication required
> linux-router:~ # ktutil -k /etc/krb5.keytab list
> /etc/krb5.keytab:
>
> Vno  Type         Principal
>   1  des-cbc-crc 
> host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL linux-router:~
> # kinit -k host/linux-router.linux.xxxxxx.local kinit:
> krb5_get_init_creds: Additional pre-authentication required
> #linux-router:~ # kinit host/linux-router.linux.ermer.local
> host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL's Password:
> linux-router:~ #
> -------------SCNHAPP--------------------------
>
> The funny thing is:
> - I can get a ticket with any valid useraccount in the Administrator
> group.
> - the User Mapping on the windows box seems to work, because I enter
> the user's password  with kinit host/..... and i get a ticket.
>
> Who can help?
> Where is my mistake?
> Thanks a lot in advance
> --
> Mit freundlichen Grüßen
> Markus Feilner
> --
> Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
> fon: +49 941 70 65 23  - mobil: +49 170 302 709 2
> web: http://feilner-it.net mail: mfeilner at feilner-it.net
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> BBCi at http://www.bbc.co.uk/
>
> This e-mail (and any attachments) is confidential and may contain
> personal views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system.
> Do not use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that
> the BBC monitors e-mails sent or received. Further communication will
> signify your consent to this.

-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner at feilner-it.net