[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required

Andrew Bartlett abartlet at samba.org
Sun Mar 21 02:43:34 GMT 2004 

On Wed, 2004-03-17 at 04:27, Markus Feilner wrote:
> Am Dienstag, 16. März 2004 17:22 schrieb ww m-pubsyssamba:
> > Hi Markus,
> >
> > 	What are you actually trying to achieve? Why do you want to
> > automatically obtain a kerberos ticket? I may be wrong, but I wonder
> > if you are overcomplicating things for yourself. ktpass is indeed a
> > tool for creating keytabs for use on non-windows systems such as
> > Linux, but if you are using Samba 3.0 you should join the Linux
> > server to the domain using Samba specific commands, ie.
> >
> 
> I have e.g. squid-winbind-ntlm authentication working, but the samba 
> client only gets new data from the ADS, if it has a valid ticket. 
> Otherwise only old auth data is used (from the winbind cache.)
> As long as there is a valid ticket, changes on the user/group data in 
> ADS are almost instanteanously also active on the samba server.
> This is used for permitting access to the internet only for members of a 
> special ADS group.
> Changes to the members of this group should automagically be known to 
> the samba server without interaction by an admin. It works that way 
> with samba and an NT-compatible ADS, but that makes it insecure.

Samba should do a kinit internally, based on the machine trust account
password, before it attempts to make a connection to ADS.  Are you
really sure your problems are related to the kerberos ticket?

The ticket that may or may not be created for Administrator during the
'net ads join' is not used by winbindd.  Only the machine trust account
password is.  Also ensure you are running Samba 3.0.2a, in-case you are
hitting other bugs.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040321/66fa8b6a/attachment.bin

More information about the samba mailing list