[Samba] samba 3, ADS, kerberos,
keytab problem - Additional pre-authentication required
pubsyssamba at bbc.co.uk
Tue Mar 16 19:25:16 GMT 2004
Am Dienstag, 16. März 2004 17:22 schrieb ww m-pubsyssamba:
> Hi Markus,
> What are you actually trying to achieve? Why do you want to
> automatically obtain a kerberos ticket? I may be wrong, but I wonder
> if you are overcomplicating things for yourself. ktpass is indeed a
> tool for creating keytabs for use on non-windows systems such as
> Linux, but if you are using Samba 3.0 you should join the Linux
> server to the domain using Samba specific commands, ie.
I have e.g. squid-winbind-ntlm authentication working, but the samba
client only gets new data from the ADS, if it has a valid ticket.
Otherwise only old auth data is used (from the winbind cache.)
As long as there is a valid ticket, changes on the user/group data in
ADS are almost instanteanously also active on the samba server.
This is used for permitting access to the internet only for members of a
special ADS group.
Changes to the members of this group should automagically be known to
the samba server without interaction by an admin. It works that way
with samba and an NT-compatible ADS, but that makes it insecure.
## ok, I have no experience of using Samba to provide authentication to squid but
## if all you need is to get winbind working then maybe I can help, please see below..
> # net ads join -U Administrator%password
> This creates a computer account in the AD and negates the need to
> mess around manually with keytabs. You can check this by looking in
> your AD domain with adsiedit, if you look at the computer object
> created you can see it has setup serviceprincipal for
Yes. But when a ticket is no longer valid, only old user data are known
to winbind. In order to always have a valid ticket I need:
- a ticket granting ticket and a cronjob that does the renewal.
- Or an account that works with a keytab file and does not require a
Neither does work.
(I even set up a testbed net with an "virgin" ADS Server)
## Ok I think you are wrong here, I tested this as follows:
## On Samba 3.0.2a server join to AD domain using "net ads join"
## Ensure there are no kerberos tickets with "kdestroy"
## start winbind, check users see by winbind with "wbinfo -u"
## Add a new user to AD using MS tools, now wait for winbind cache time to pass
## (winbind cache time defaults to 300 seconds)
## now check users visable to winbind with "wbinfo -u" (I had to run this twice for it to update)
## I can see the new user, this is what I'd expect all without any kerberos ticket.
## This is because the "net ads join" performs a similar function to manually
## creating keytab files, it creates a trust or shared secret between
## the Samba server and the AD domain.
> "host/hostname at REALM.COM" etc. You'd use ktpass if you wanted to
> Kerberise something like NFS which has no specific support for AD.
> Unless you need access from one Samba server to another you don't
> need to automatically get a ticket for your Samba server to work,
> Samba will maintain domain trusts for clients connecting to the Samba
> server on its own.
> If this doesn't help or I've misunderstood your requirements post
> some more details of what you need to achieve,
> thanks Andy.
Thanks a lot, Andy,
and tell me if I got something wrong...
But try wbinfo -t both with a valid ticket and without. Doesn't seem to
make a difference, unless you change the userdata on the ADS server...
I would be so happy if I were wrong...
## Yes wbinfo -t as wbinfo -u should rely on a trust established by "net ads join"
## not a kerberos ticket to both should work as would wbinfo -g etc. etc.
> Hello List,
> I am (unsuccessfully) trying to automatically get a valid kerberos
> ticket for my linux box. I have - in a test environment:
> - a windows 2000 server with Active directory and DNS properly set
> up. - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal
> 0.6.-67. - I am able to join the domain and get a valid ticket
> through kinit, if I enter the Administrator's password or the
> userdata with password from some account in the Administrator group.
> - Filetransfer and Name services and winbind work flawlessly, as
> long as there is a valid ticket.
> I have googled and read in mailing lists, and became good advice
> (thanks chris!) on how to get a ticket wih a cronjob and a keytab
> - On the ADS-KDC I created a user, to whose account the new kerberos
> principal is to be mapped,
> - which I did by typing "ktpass -princ host/hostname at REALM -mapuser
> username -pass password -out keyfile", like microsoft explains on
> their techinfo sites.
> - Then I transferred the keyfile to the linux box and tried to use it
> for kinit with the -k and -t switches.
> BUT: All I got is: Additional pre-authentication required.
> (which seems to be the least explanatory of all samba errors...)
> Here follow my tries:
> linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab
> kinit: krb5_get_init_creds: Additional pre-authentication required
> linux-router:~ # ktutil -k /etc/krb5.keytab list
> Vno Type Principal
> 1 des-cbc-crc
> host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL linux-router:~
> # kinit -k host/linux-router.linux.xxxxxx.local kinit:
> krb5_get_init_creds: Additional pre-authentication required
> #linux-router:~ # kinit host/linux-router.linux.ermer.local
> host/linux-router.linux.xxxxx.local at LINUX.XXXXX.LOCAL's Password:
> linux-router:~ #
> The funny thing is:
> - I can get a ticket with any valid useraccount in the Administrator
> - the User Mapping on the windows box seems to work, because I enter
> the user's password with kinit host/..... and i get a ticket.
> Who can help?
> Where is my mistake?
> Thanks a lot in advance
> Mit freundlichen Grüßen
> Markus Feilner
> Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
> fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
> web: http://feilner-it.net mail: mfeilner at feilner-it.net
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
> BBCi at http://www.bbc.co.uk/
> This e-mail (and any attachments) is confidential and may contain
> personal views which are not the views of the BBC unless specifically
> If you have received it in error, please delete it from your system.
> Do not use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that
> the BBC monitors e-mails sent or received. Further communication will
> signify your consent to this.
Mit freundlichen Grüßen
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilner at feilner-it.net
To unsubscribe from this list go to the following URL and read the
BBCi at http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
More information about the samba