Samba 3.0, ADS, Kerberos
Hello List, I have successfully integrated samba to an Active Directory Domain, and it is authenticating against the ADS, but only while the Kerberos ticket is valid. After that period it seems to take only the user/group list from its (winbind) cache. By now i can get a kerberos ticket with "kinit Administrator" or any other username that has administrative rights on ADS and all is fine. But after 8 hours this ticket is no longer valid. How can I renew or re-get an (new) ticket automatically? I searched many sites and found several solutions, but none worked. Probably the best one is about keytabs, which I could generate on The Windows System, but kerberos does not seem to use them. Most of the solutions I found are for MIT kerberos, but I use heimdal (as of SuSE 9.0), where e.g. the hints from new zealand's linux wiki (http://www.wlug.org.nz/ActiveDirectorySamba) don't work. They tell me to import the keytab file with ----------------- % ktutil ktutil: rkt mail.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: q ------------------ But this does not work - not with ktutil and not with kadmin. Perhaps i missed something? Thanks a lot!!! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Hello, i had the same problem with cyrus authenticating against Active Directory using Heimdahl Kerberos. You may move your Windows-generated-keytab to /etc/krb5.keytab - but this will overwrite existing keytabs. Then kinit -t /etc/krb5.keytab host/your.linux.server.fqdn A following klist shows your current tgt. Mit freundlichen Grüßen Chris
-----Ursprüngliche Nachricht----- Von: Markus Feilner [mailto:lists@feilner-it.net] Gesendet: Dienstag, 17. Februar 2004 11:00 An: suse-security List Betreff: [suse-security] Samba 3.0, ADS, Kerberos
Hello List, I have successfully integrated samba to an Active Directory Domain, and it is authenticating against the ADS, but only while the Kerberos ticket is valid. After that period it seems to take only the user/group list from its (winbind) cache.
By now i can get a kerberos ticket with "kinit Administrator" or any other username that has administrative rights on ADS and all is fine. But after 8 hours this ticket is no longer valid. How can I renew or re-get an (new) ticket automatically?
I searched many sites and found several solutions, but none worked. Probably the best one is about keytabs, which I could generate on The Windows System, but kerberos does not seem to use them.
Most of the solutions I found are for MIT kerberos, but I use heimdal (as of SuSE 9.0), where e.g. the hints from new zealand's linux wiki (http://www.wlug.org.nz/ActiveDirectorySamba) don't work. They tell me to import the keytab file with ----------------- % ktutil ktutil: rkt mail.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: q ------------------ But this does not work - not with ktutil and not with kadmin. Perhaps i missed something? Thanks a lot!!! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Christian Lange -
Markus Feilner