LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-17-2004, 04:37 PM   #1
SNunweiler
LQ Newbie
 
Registered: Aug 2004
Location: Canada
Distribution: Redhat Enterprise 3
Posts: 8

Rep: Reputation: 0
Samba Kerberos Authentication


I have a Windows 2000 server running Active Directory in a mixed mode and Red Hat Enterprise 3. I have configured samba and kerberos according to the instructions on asia.cnet.com/itmanager/netadmin/printfriendly.htm?AT=39081966-39006400t-39000223c.
My computer is then added to the active directory users and computers list. But when i try and access a windows network resource i am asked for authentication. Can someone point me to a site that may help, or tell me what i am doing wrong. TIA.
 
Old 08-17-2004, 05:12 PM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
You'll always be asked for a password at least once, but Kerberos caches the resulting 'ticket' (for 24 hours) so that you won't be asked again.

The article you linked to doesn't make it very clear...

kinit user@EXAMPLE.COM

Will ask for a password to go with the username. If it succeeds a ticket is issued to you, so that any client program you use with Kerberos can use the ticket to silently authenticate.

smbclient //server/share -k

The -k option causes smbclient to use your Kerberos ticket rather than ask for the password.
 
Old 08-17-2004, 05:14 PM   #3
SNunweiler
LQ Newbie
 
Registered: Aug 2004
Location: Canada
Distribution: Redhat Enterprise 3
Posts: 8

Original Poster
Rep: Reputation: 0
Is there a way to authenticate and stay authenticated without having to set the ticket expiry time to some huge number?
 
Old 08-17-2004, 05:34 PM   #4
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Tickets are meant to expire, really - a basic principle of Kerberos is that even if you steal somebody's ticket the expiry will make that ticket useless before long. It's very much designed for LANs, where you will log in to the domain once at the start of the day, use the ticket for the day and have a fresh ticket the next day.

If you want persistent passwordless logins then the appropriate method is SSH with key-based authentication. Of course Microsoft don't bundle SSH, for no particular reason I can work out...
 
Old 08-18-2004, 10:16 AM   #5
SNunweiler
LQ Newbie
 
Registered: Aug 2004
Location: Canada
Distribution: Redhat Enterprise 3
Posts: 8

Original Poster
Rep: Reputation: 0
Would you know why i have to authenticate to each server i want to access. I authenticate to one, and then if i wish to view information on another server i am asked for a username and password again. Is there a way to be authenticated to all servers once you have authenticated to one?
 
Old 08-18-2004, 11:27 AM   #6
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
That doesn't sound right. A ticket should be good for all systems using the Kerberos domain.

To double-check the tickets that you have:

/usr/kerberos/bin/klist

If you have a valid ticket and the server is still asking for a password, then probably either:

- The server isn't part of the same Kerberos domain.
- Your client software isn't using Kerberos authentication.
- The server isn't actually using Kerberos authentication.

We only have a native-mode AD domain at work, so I don't know if mixed-mode behaves differently with Linux. I suppose that it's possible that the Windows box is using the older LANMAN authentication system for some reason, rather than Kerberos.
 
Old 08-18-2004, 12:06 PM   #7
SNunweiler
LQ Newbie
 
Registered: Aug 2004
Location: Canada
Distribution: Redhat Enterprise 3
Posts: 8

Original Poster
Rep: Reputation: 0
My ticket info is:

[root@IT-Linux bin]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DomainName
Valid starting Expires Service principal
08/18/04 10:53:46 08/18/04 20:53:46 krbtgt/DomainName@DomainName

It still asks to authenticate everytime i click on a different server. does the above seem like a valid ticket?
 
Old 08-25-2004, 10:27 AM   #8
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
I've just finished configuring another Linux member server and had a look at this - what you've listed looks OK.

Using an AD Administrator account I get:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: me@MYDOMAIN

Valid starting Expires Service principal
08/25/04 11:21:03 08/25/04 21:21:03 krbtgt/MYDOMAIN@MYDOMAIN
08/25/04 11:34:52 08/25/04 21:21:03 server$@MYDOMAIN
08/25/04 11:34:53 08/25/04 21:21:03 kadmin/changepw@MYDOMAIN

Again, Kerberos won't help if you are connecting to server which aren't part of the Kerberos domain (because they are using NT4 protocols for authentication with the DC).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos Authentication Comatose51 Linux - Security 2 08-30-2005 06:44 AM
Kerberos Authentication cwinter00 Linux - Security 1 06-16-2005 12:56 PM
PAM/Kerberos authentication problem hmartin216 Linux - Security 2 03-11-2005 09:28 PM
Authentication In A Http Request With Kerberos Ephraim Programming 0 08-03-2004 04:13 AM
Authentication via Kerberos grubjo Linux - Security 0 07-30-2004 11:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration