Hello Markus, i was out off Office, so excuse my late suggestions.
Betreff: [suse-security] samba3, ADS, kerberos keytabs - Pre-authentication ... still not working...
Hello List, I am (unsuccessfully) trying to automatically get a valid kerberos ticket for my linux box. I have - in a test environment:
- a windows 2000 server with Active directory and DNS properly set up. - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal 0.6.-67. - I am able to join the domain and get a valid ticket through kinit, if I enter the Administrator's password or the userdata with password from some account in the Administrator group. - Filetransfer and Name services and winbind work flawlessly, as long as there is a valid ticket.
I have googled and read in mailing lists, and became good advice (thanks chris!) on how to get a ticket wih a cronjob and a keytab file:
- On the ADS-KDC I created a user, to whose account the new kerberos principal is to be mapped, - which I did by typing "ktpass -princ host/hostname@REALM -mapuser username -pass password -out keyfile", like microsoft explains on their techinfo sites. - Then I transferred the keyfile to the linux box and tried to use it for kinit with the -k and -t switches.
BUT: All I got is: Additional pre-authentication required. (which seems to be the least explanatory of all samba errors...)
Here follow my tries: --------------SCHNIPP------------------------ linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab
Try a kinit -t /etc/krb5.keytab host/yourhost.fqdn.de What rights has your /etc/krb5.keytab? Try 600 root.root Do you have suitable /etc/pam_smb.conf and /etc/krb5.conf? Good Luck! Chris Christian Lange Dez. 12 DV LKA Niedersachsen Tel.: 0511/26262-1227 Fax: 0511/26262-8999 mailto: christian.lange at polizei.niedersachsen.de