[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [suse-security] Samba 3.0, ADS, Kerberos



 Hello,

i had the same problem with cyrus authenticating against Active Directory
using Heimdahl Kerberos.

You may move your Windows-generated-keytab to /etc/krb5.keytab - but this
will overwrite existing keytabs. 

Then

kinit -t /etc/krb5.keytab host/your.linux.server.fqdn

A following     klist         shows your current tgt.




Mit freundlichen Grüßen


Chris



> -----Ursprüngliche Nachricht-----
> Von: Markus Feilner [mailto:lists@xxxxxxxxxxxxxx] 
> Gesendet: Dienstag, 17. Februar 2004 11:00
> An: suse-security List
> Betreff: [suse-security] Samba 3.0, ADS, Kerberos
> 
> Hello List,
> I have successfully integrated samba to an Active Directory 
> Domain, and it is authenticating against the ADS, but only 
> while the Kerberos ticket is valid. After that period it 
> seems to take only the user/group list from its (winbind) cache.
> 
> By now i can get a kerberos ticket with "kinit Administrator" 
> or any other username that has administrative rights on ADS 
> and all is fine.
> But after 8 hours this ticket is no longer valid. How can I 
> renew or re-get an (new) ticket automatically? 
> 
> I searched many sites and found several solutions, but none worked. 
> Probably the best one is about keytabs, which I could 
> generate on The Windows System, but kerberos does not seem to 
> use them.
> 
> Most of the solutions I found are for MIT kerberos, but I use 
> heimdal (as of SuSE 9.0), where e.g. the hints from new 
> zealand's linux wiki
> (http://www.wlug.org.nz/ActiveDirectorySamba) don't work. 
> They tell me to import the keytab file with
> -----------------
> % ktutil
>   ktutil: rkt mail.keytab
>   ktutil: list
>   ktutil: wkt /etc/krb5.keytab
>   ktutil: q
> ------------------
> But this does not work - not with ktutil and not with kadmin.
> Perhaps i missed something?
> Thanks a lot!!!
> --
> Mit freundlichen Grüßen
> Markus Feilner
> --
> Linux Solutions, Training, Seminare und Workshops - auch 
> Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
> fon: +49 941 70 65 23  - mobil: +49 170 302 709 2
> web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here