[Samba] samba 3, ADS, kerberos,
keytab problem - Additional pre-authentication required
Markus Feilner
lists at feilner-it.net
Tue Mar 23 10:01:53 GMT 2004
Am Sonntag, 21. März 2004 03:43 schrieb Andrew Bartlett:
>
> Samba should do a kinit internally, based on the machine trust
> account password, before it attempts to make a connection to ADS.
> Are you really sure your problems are related to the kerberos ticket?
>
> The ticket that may or may not be created for Administrator during
> the 'net ads join' is not used by winbindd. Only the machine trust
> account password is. Also ensure you are running Samba 3.0.2a,
> in-case you are hitting other bugs.
>
> Andrew Bartlett
OK, Thanks Andrew!
It works if I restart winbind regularly.
Then new data from the ADS is integrated at once, if I set the winbind
cache parameter in smb.conf. There's no need for another ticket, it
seems to be created at joining the domain.
But: If I do not restart winbind, the shared secret is gone after a
certain time!?
Example: I started both systems on Friday. They worked fine, and I added
users and groups to the ADS (W2K, SP4) and checked on samba (3.0.2a,
SuSE 9.0). Worked fine. Then I let both systems run over the weekend. I
came back Monday and found wbinfo only producing errors like could not
lookup users/groups. wbinfo -t said "Could not check shared secret".
I restarted winbind, and it worked instantaneously. So I added a
cronjob, which restarts winbind everys hour.
But that seems only a workaround to me...
Any Ideas?
Thank You!
--
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilner at feilner-it.net
More information about the samba
mailing list