[Samba] Kerberos Tickets gone after reboot

Scarry, Robert robert.scarry at eds.com
Fri Mar 4 16:21:42 GMT 2005

Thanks for the reply.  Here is the output of my files and a general way I
have things setup.  


W2K AD Domain Controller-

MIT Kerberos - 


Solaris 2.8/2.9 (same issue with both platforms.)


Out from the /etc/nsswitch.conf, smb.conf, and klist.  


-I can add the samba server to the domain as a member.

-Can authenticate local domain and trusted users to map drives to the

-On reboot the users can't authenticate anymore, and if I do a 'klist' the
Kerberos tickets are gone..

-I took a snapshot of the files used (including the klist when the server is
up before reboot.)



# /etc/nsswitch.nis:


# the following two lines obviate the "+" entry in /etc/passwd and

passwd:     files nis winbind

group:      files nis winbind


#======================= Global Settings



## Basic Server Settings


      # workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4

      workgroup = EDSADDDM



      # server string is the equivalent of the NT Description field

      server string = Chucky Imaging Server


      log file = /var/samba/log/log.%m


      log level = 2


      max log size = 100


      security = ADS


      # Passwords & Authentication

      encrypt passwords = yes


      ## Winbind

      idmap uid = 60000-70000

      idmap gid = 80000-90000


      winbind enum users = yes

      winbind enum groups = yes


      winbind separator = +

      winbind use default domain = no


#============================ Share Definitions


comment = Imaging Share

path = /rdn7

public = no

writable = yes

printable = no

browsable = no


Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator at EDSADDDM.DDM.APM.BPM.EDS.COM


Valid starting     Expires            Service principal

03/03/05 09:45:35  04/10/05 15:46:57

      renew until 07/16/06 10:45:35

03/03/05 09:47:02  03/05/05 14:02:02

      renew until 07/16/06 10:45:35

03/03/05 09:47:03  03/05/05 14:02:03
kadmin/changepw at EDSADDDM.DDM.APM.BPM.EDS.COM

      renew until 07/16/06 10:45:35







***  My problem is that I have to re-join my samba server to the domain
every time I reboot.  I am assuming that it is because when I reboot the
Kerberos ticket is gone.  I have to manually issue the kinit command, then
"net ads join", then it all works again.


Maybe the Kerberos ticket is not the problem..?  Any ideas?










-----Original Message-----
From: Sebastian Bickel [mailto:Seb.ADIO at gmx.de] 
Sent: Thursday, March 03, 2005 10:53 PM
To: Scarry, Robert
Subject: Re: [Samba] Kerberos Tickets gone after reboot


> Has anyone had experience with MIT Kerberos tickets not valid after server

> reboot?


> After server reboot I have to do a 'kinit' to get a new ticket, re-join

> the

> AD domain, and restart samba.  Then all is fine until I have to reboot the

> server again..  Same thing again and again.  


> My time is synced, Kerberos tickets are good for 500d.



I don't now, what's your problem, but Kerberos tickets valid for 500d is

very long and could lead to a security problem.








DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!

AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl

More information about the samba mailing list