[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required

Markus Feilner lists at feilner-it.net
Tue Mar 23 10:01:53 GMT 2004

Am Sonntag, 21. März 2004 03:43 schrieb Andrew Bartlett:
> Samba should do a kinit internally, based on the machine trust
> account password, before it attempts to make a connection to ADS. 
> Are you really sure your problems are related to the kerberos ticket?
> The ticket that may or may not be created for Administrator during
> the 'net ads join' is not used by winbindd.  Only the machine trust
> account password is.  Also ensure you are running Samba 3.0.2a,
> in-case you are hitting other bugs.
> Andrew Bartlett
OK, Thanks Andrew!
It works if I restart winbind regularly. 
Then new data from the ADS is integrated at once, if I set the winbind 
cache parameter in smb.conf. There's no need for another ticket, it 
seems to be created at joining the domain.
But: If I do not restart winbind, the shared secret is gone after a 
certain time!? 
Example: I started both systems on Friday. They worked fine, and I added 
users and groups to the ADS (W2K, SP4) and checked on samba (3.0.2a, 
SuSE 9.0). Worked fine. Then I let both systems run over the weekend. I 
came back Monday and found wbinfo only producing errors like could not 
lookup users/groups. wbinfo -t said "Could not check shared secret". 
I restarted winbind, and it worked instantaneously. So I added a 
cronjob, which restarts winbind everys hour. 
But that seems only a workaround to me...
Any Ideas?
Thank You!
Mit freundlichen Grüßen
Markus Feilner
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner at feilner-it.net

More information about the samba mailing list