Hi Markus,
What are you actually trying to achieve? Why do you want to automatically
obtain a kerberos ticket?
I may be wrong, but I wonder if you are overcomplicating things for yourself.
ktpass is indeed a tool for creating keytabs for use on non-windows systems such as
Linux, but if you
are using Samba 3.0 you should join the Linux server to the domain using Samba
specific commands, ie.
# net ads join -U Administrator%password
This creates a computer account in the AD and negates the need to mess around manually
with keytabs.
You can check this by looking in your AD domain with adsiedit, if you look at the
computer object created
you can see it has setup serviceprincipal for "host/[EMAIL PROTECTED]" etc.
You'd use ktpass if you wanted to Kerberise something like NFS which has no specific
support for AD.
Unless you need access from one Samba server to another you don't need to
automatically get a ticket for
your Samba server to work, Samba will maintain domain trusts for clients connecting to
the Samba server
on its own.
If this doesn't help or I've misunderstood your requirements post some more details of
what you
need to achieve,
thanks Andy.
Hello List,
I am (unsuccessfully) trying to automatically get a valid kerberos
ticket for my linux box. I have - in a test environment:
- a windows 2000 server with Active directory and DNS properly set up.
- a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal 0.6.-67.
- I am able to join the domain and get a valid ticket through kinit, if
I enter the Administrator's password or the userdata with password from
some account in the Administrator group.
- Filetransfer and Name services and winbind work flawlessly, as long
as there is a valid ticket.
I have googled and read in mailing lists, and became good advice (thanks
chris!) on how to get a ticket wih a cronjob and a keytab file:
- On the ADS-KDC I created a user, to whose account the new kerberos
principal is to be mapped,
- which I did by typing "ktpass -princ host/[EMAIL PROTECTED] -mapuser
username -pass password -out keyfile", like microsoft explains on their
techinfo sites.
- Then I transferred the keyfile to the linux box and tried to use it
for kinit with the -k and -t switches.
BUT: All I got is: Additional pre-authentication required.
(which seems to be the least explanatory of all samba errors...)
Here follow my tries:
--------------SCHNIPP------------------------
linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab
kinit: krb5_get_init_creds: Additional pre-authentication required
linux-router:~ # ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal
1 des-cbc-crc host/[EMAIL PROTECTED]
linux-router:~ # kinit -k host/linux-router.linux.xxxxxx.local
kinit: krb5_get_init_creds: Additional pre-authentication required
#linux-router:~ # kinit host/linux-router.linux.ermer.local
host/[EMAIL PROTECTED]'s Password:
linux-router:~ #
-------------SCNHAPP--------------------------
The funny thing is:
- I can get a ticket with any valid useraccount in the Administrator
group.
- the User Mapping on the windows box seems to work, because I enter the
user's password with kinit host/..... and i get a ticket.
Who can help?
Where is my mistake?
Thanks a lot in advance
--
Mit freundlichen Gr��en
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
BBCi at http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which
are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy
or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors
e-mails sent or received.
Further communication will signify your consent to this.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
