Markus Feilner
2004-Mar-16 15:00 UTC
[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required
Hello List, I am (unsuccessfully) trying to automatically get a valid kerberos ticket for my linux box. I have - in a test environment: - a windows 2000 server with Active directory and DNS properly set up. - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal 0.6.-67. - I am able to join the domain and get a valid ticket through kinit, if I enter the Administrator's password or the userdata with password from some account in the Administrator group. - Filetransfer and Name services and winbind work flawlessly, as long as there is a valid ticket. I have googled and read in mailing lists, and became good advice (thanks chris!) on how to get a ticket wih a cronjob and a keytab file: - On the ADS-KDC I created a user, to whose account the new kerberos principal is to be mapped, - which I did by typing "ktpass -princ host/hostname@REALM -mapuser username -pass password -out keyfile", like microsoft explains on their techinfo sites. - Then I transferred the keyfile to the linux box and tried to use it for kinit with the -k and -t switches. BUT: All I got is: Additional pre-authentication required. (which seems to be the least explanatory of all samba errors...) Here follow my tries: --------------SCHNIPP------------------------ linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab kinit: krb5_get_init_creds: Additional pre-authentication required linux-router:~ # ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal 1 des-cbc-crc host/linux-router.linux.xxxxx.local@LINUX.XXXXX.LOCAL linux-router:~ # kinit -k host/linux-router.linux.xxxxxx.local kinit: krb5_get_init_creds: Additional pre-authentication required #linux-router:~ # kinit host/linux-router.linux.ermer.local host/linux-router.linux.xxxxx.local@LINUX.XXXXX.LOCAL's Password: linux-router:~ # -------------SCNHAPP-------------------------- The funny thing is: - I can get a ticket with any valid useraccount in the Administrator group. - the User Mapping on the windows box seems to work, because I enter the user's password with kinit host/..... and i get a ticket. Who can help? Where is my mistake? Thanks a lot in advance -- Mit freundlichen Gr??en Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
ww m-pubsyssamba
2004-Mar-16 16:25 UTC
[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required
Hi Markus, What are you actually trying to achieve? Why do you want to automatically obtain a kerberos ticket? I may be wrong, but I wonder if you are overcomplicating things for yourself. ktpass is indeed a tool for creating keytabs for use on non-windows systems such as Linux, but if you are using Samba 3.0 you should join the Linux server to the domain using Samba specific commands, ie. # net ads join -U Administrator%password This creates a computer account in the AD and negates the need to mess around manually with keytabs. You can check this by looking in your AD domain with adsiedit, if you look at the computer object created you can see it has setup serviceprincipal for "host/hostname@REALM.COM" etc. You'd use ktpass if you wanted to Kerberise something like NFS which has no specific support for AD. Unless you need access from one Samba server to another you don't need to automatically get a ticket for your Samba server to work, Samba will maintain domain trusts for clients connecting to the Samba server on its own. If this doesn't help or I've misunderstood your requirements post some more details of what you need to achieve, thanks Andy. Hello List, I am (unsuccessfully) trying to automatically get a valid kerberos ticket for my linux box. I have - in a test environment: - a windows 2000 server with Active directory and DNS properly set up. - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal 0.6.-67. - I am able to join the domain and get a valid ticket through kinit, if I enter the Administrator's password or the userdata with password from some account in the Administrator group. - Filetransfer and Name services and winbind work flawlessly, as long as there is a valid ticket. I have googled and read in mailing lists, and became good advice (thanks chris!) on how to get a ticket wih a cronjob and a keytab file: - On the ADS-KDC I created a user, to whose account the new kerberos principal is to be mapped, - which I did by typing "ktpass -princ host/hostname@REALM -mapuser username -pass password -out keyfile", like microsoft explains on their techinfo sites. - Then I transferred the keyfile to the linux box and tried to use it for kinit with the -k and -t switches. BUT: All I got is: Additional pre-authentication required. (which seems to be the least explanatory of all samba errors...) Here follow my tries: --------------SCHNIPP------------------------ linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab kinit: krb5_get_init_creds: Additional pre-authentication required linux-router:~ # ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal 1 des-cbc-crc host/linux-router.linux.xxxxx.local@LINUX.XXXXX.LOCAL linux-router:~ # kinit -k host/linux-router.linux.xxxxxx.local kinit: krb5_get_init_creds: Additional pre-authentication required #linux-router:~ # kinit host/linux-router.linux.ermer.local host/linux-router.linux.xxxxx.local@LINUX.XXXXX.LOCAL's Password: linux-router:~ # -------------SCNHAPP-------------------------- The funny thing is: - I can get a ticket with any valid useraccount in the Administrator group. - the User Mapping on the windows box seems to work, because I enter the user's password with kinit host/..... and i get a ticket. Who can help? Where is my mistake? Thanks a lot in advance -- Mit freundlichen Gr??en Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
ww m-pubsyssamba
2004-Mar-16 19:29 UTC
[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required
Am Dienstag, 16. M?rz 2004 17:22 schrieb ww m-pubsyssamba:> Hi Markus, > > What are you actually trying to achieve? Why do you want to > automatically obtain a kerberos ticket? I may be wrong, but I wonder > if you are overcomplicating things for yourself. ktpass is indeed a > tool for creating keytabs for use on non-windows systems such as > Linux, but if you are using Samba 3.0 you should join the Linux > server to the domain using Samba specific commands, ie. >I have e.g. squid-winbind-ntlm authentication working, but the samba client only gets new data from the ADS, if it has a valid ticket. Otherwise only old auth data is used (from the winbind cache.) As long as there is a valid ticket, changes on the user/group data in ADS are almost instanteanously also active on the samba server. This is used for permitting access to the internet only for members of a special ADS group. Changes to the members of this group should automagically be known to the samba server without interaction by an admin. It works that way with samba and an NT-compatible ADS, but that makes it insecure. ## ok, I have no experience of using Samba to provide authentication to squid but ## if all you need is to get winbind working then maybe I can help, please see below..> # net ads join -U Administrator%password > > This creates a computer account in the AD and negates the need to > mess around manually with keytabs. You can check this by looking in > your AD domain with adsiedit, if you look at the computer object > created you can see it has setup serviceprincipal forYes. But when a ticket is no longer valid, only old user data are known to winbind. In order to always have a valid ticket I need: - a ticket granting ticket and a cronjob that does the renewal. - Or an account that works with a keytab file and does not require a password therefore. Neither does work. (I even set up a testbed net with an "virgin" ADS Server) ## Ok I think you are wrong here, I tested this as follows: ## On Samba 3.0.2a server join to AD domain using "net ads join" ## Ensure there are no kerberos tickets with "kdestroy" ## start winbind, check users see by winbind with "wbinfo -u" ## Add a new user to AD using MS tools, now wait for winbind cache time to pass ## (winbind cache time defaults to 300 seconds) ## now check users visable to winbind with "wbinfo -u" (I had to run this twice for it to update) ## I can see the new user, this is what I'd expect all without any kerberos ticket. ## This is because the "net ads join" performs a similar function to manually ## creating keytab files, it creates a trust or shared secret between ## the Samba server and the AD domain.> "host/hostname@REALM.COM" etc. You'd use ktpass if you wanted to > Kerberise something like NFS which has no specific support for AD. > Unless you need access from one Samba server to another you don't > need to automatically get a ticket for your Samba server to work, > Samba will maintain domain trusts for clients connecting to the Samba > server on its own. > If this doesn't help or I've misunderstood your requirements post > some more details of what you need to achieve, > > thanks Andy. >Thanks a lot, Andy, and tell me if I got something wrong... But try wbinfo -t both with a valid ticket and without. Doesn't seem to make a difference, unless you change the userdata on the ADS server... Any ideas? I would be so happy if I were wrong... ## Yes wbinfo -t as wbinfo -u should rely on a trust established by "net ads join" ## not a kerberos ticket to both should work as would wbinfo -g etc. etc.> > > Hello List, > I am (unsuccessfully) trying to automatically get a valid kerberos > ticket for my linux box. I have - in a test environment: > > - a windows 2000 server with Active directory and DNS properly set > up. - a suse linux 9.0 router with samba3.0.2.rc.1 and heimdal > 0.6.-67. - I am able to join the domain and get a valid ticket > through kinit, if I enter the Administrator's password or the > userdata with password from some account in the Administrator group. > - Filetransfer and Name services and winbind work flawlessly, as > long as there is a valid ticket. > > I have googled and read in mailing lists, and became good advice > (thanks chris!) on how to get a ticket wih a cronjob and a keytab > file: > > - On the ADS-KDC I created a user, to whose account the new kerberos > principal is to be mapped, > - which I did by typing "ktpass -princ host/hostname@REALM -mapuser > username -pass password -out keyfile", like microsoft explains on > their techinfo sites. > - Then I transferred the keyfile to the linux box and tried to use it > for kinit with the -k and -t switches. > > BUT: All I got is: Additional pre-authentication required. > (which seems to be the least explanatory of all samba errors...) > > Here follow my tries: > --------------SCHNIPP------------------------ > linux-router:~ # kinit --use-keytab -t /etc/krb5.keytab > kinit: krb5_get_init_creds: Additional pre-authentication required > linux-router:~ # ktutil -k /etc/krb5.keytab list > /etc/krb5.keytab: > > Vno Type Principal > 1 des-cbc-crc > host/linux-router.linux.xxxxx.local@LINUX.XXXXX.LOCAL linux-router:~ > # kinit -k host/linux-router.linux.xxxxxx.local kinit: > krb5_get_init_creds: Additional pre-authentication required > #linux-router:~ # kinit host/linux-router.linux.ermer.local > host/linux-router.linux.xxxxx.local@LINUX.XXXXX.LOCAL's Password: > linux-router:~ # > -------------SCNHAPP-------------------------- > > The funny thing is: > - I can get a ticket with any valid useraccount in the Administrator > group. > - the User Mapping on the windows box seems to work, because I enter > the user's password with kinit host/..... and i get a ticket. > > Who can help? > Where is my mistake? > Thanks a lot in advance > -- > Mit freundlichen Gr??en > Markus Feilner > -- > Linux Solutions, Training, Seminare und Workshops - auch Inhouse > Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg > fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 > web: http://feilner-it.net mail: mfeilner@feilner-it.net > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > BBCi at http://www.bbc.co.uk/ > > This e-mail (and any attachments) is confidential and may contain > personal views which are not the views of the BBC unless specifically > stated. > If you have received it in error, please delete it from your system. > Do not use, copy or disclose the information in any way nor act in > reliance on it and notify the sender immediately. Please note that > the BBC monitors e-mails sent or received. Further communication will > signify your consent to this.-- Mit freundlichen Gr??en Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
Jeremy Allison
2004-Mar-23 20:45 UTC
[Samba] samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required
On Tue, Mar 23, 2004 at 03:39:09PM -0500, Jim McDonough wrote:> > Jeremy, how about this?Looks really good except for this :> + if (expire_time) > + *expire_time = (time_t) my_creds.times.endtime; > +Is there a defined API way to get the expiration time rather than fishing in the my_creds struct ? Is it the same field between MIT and Heimdal ? Other than that it looks great (and I take it it works :-), commit it and we can work out the specifics later if neccesary. Jeremy.