[Samba] Kerberos Tickets gone after reboot
Scarry, Robert
robert.scarry at eds.com
Fri Mar 4 16:21:42 GMT 2005
Thanks for the reply. Here is the output of my files and a general way I
have things setup.
W2K AD Domain Controller-
MIT Kerberos -
WINBIND -
Solaris 2.8/2.9 (same issue with both platforms.)
Out from the /etc/nsswitch.conf, smb.conf, and klist.
-I can add the samba server to the domain as a member.
-Can authenticate local domain and trusted users to map drives to the
shares.
-On reboot the users can't authenticate anymore, and if I do a 'klist' the
Kerberos tickets are gone..
-I took a snapshot of the files used (including the klist when the server is
up before reboot.)
--------------------------------------------------------------------
# /etc/nsswitch.nis:
#
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd: files nis winbind
group: files nis winbind
--------------------------------------------------------------------
#======================= Global Settings
=====================================
[global]
## Basic Server Settings
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = EDSADDDM
realm = EDSADDDM.DDM.APM.BPM.EDS.COM
# server string is the equivalent of the NT Description field
server string = Chucky Imaging Server
log file = /var/samba/log/log.%m
log level = 2
max log size = 100
security = ADS
# Passwords & Authentication
encrypt passwords = yes
## Winbind
idmap uid = 60000-70000
idmap gid = 80000-90000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = no
#============================ Share Definitions
==============================
[rdn7]
comment = Imaging Share
path = /rdn7
public = no
writable = yes
printable = no
browsable = no
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
Valid starting Expires Service principal
03/03/05 09:45:35 04/10/05 15:46:57
krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
renew until 07/16/06 10:45:35
03/03/05 09:47:02 03/05/05 14:02:02
uscosddm001$@EDSADDDM.DDM.APM.BPM.EDS.COM
renew until 07/16/06 10:45:35
03/03/05 09:47:03 03/05/05 14:02:03
kadmin/changepw at EDSADDDM.DDM.APM.BPM.EDS.COM
renew until 07/16/06 10:45:35
*** My problem is that I have to re-join my samba server to the domain
every time I reboot. I am assuming that it is because when I reboot the
Kerberos ticket is gone. I have to manually issue the kinit command, then
"net ads join", then it all works again.
Maybe the Kerberos ticket is not the problem..? Any ideas?
Tschuess'
-----Original Message-----
From: Sebastian Bickel [mailto:Seb.ADIO at gmx.de]
Sent: Thursday, March 03, 2005 10:53 PM
To: Scarry, Robert
Subject: Re: [Samba] Kerberos Tickets gone after reboot
> Has anyone had experience with MIT Kerberos tickets not valid after server
> reboot?
>
> After server reboot I have to do a 'kinit' to get a new ticket, re-join
> the
> AD domain, and restart samba. Then all is fine until I have to reboot the
> server again.. Same thing again and again.
>
> My time is synced, Kerberos tickets are good for 500d.
>
>
I don't now, what's your problem, but Kerberos tickets valid for 500d is
very long and could lead to a security problem.
Greetings
Sebastian
--
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
More information about the samba
mailing list