Strange behaviour of kinit

Lars Hanke debian at lhanke.de
Fri Sep 12 16:08:35 EDT 2014 

Am 12.09.2014 21:14, schrieb steve:
> On Fri, 2014-09-12 at 20:41 +0200, Dr. Lars Hanke wrote:
>> Am 12.09.2014 19:15, schrieb steve:
>>> On Fri, 2014-09-12 at 18:59 +0200, Lars Hanke wrote:
>>>> I'm currently migrating from a MIT Kerberos + LDAP infrastructure to a
>>>> samba4 design. I set up test clients, which can connect to either
>>>> server. This works well for one client (debian wheezy amd64), but it
>>>> fails for another client (debian wheezy i386). They have the same krb5.conf.
>>>>
>>>> While both clients can authenticate to the old MIT server, the i386
>>>> client fails to get a ticket from the samba4 system:
>>>>
>>>> ~# kinit Administrator at AD.MICROSULT.DE
>>>> Password for Administrator at AD.MICROSULT.DE:
>>>> kinit: Generic preauthentication failure while getting initial credentials
>>>>
>>>> Again using the same command and password on the amd64 system works fine.
>>>>
>>>> Is there any more configuration than krb5.conf, which plays a role?
>>>
>>> Is the 32 bit box joined to the domain? What does klist -k give on the
>>> 32 bit box?
>>
>> Neither machine is joined to the domain. klist -k reports that no keytab
>> file is present on the 32 bit machine. The 64 bit machine has keys from
>> the old Kerberos infrastructure, none from the samba4 system.
>
> DNS? Is the 386 client pointing _only_ at the Samba4 DC?

The 386 client points to the AD DNS. The amd64 points to the old one, 
which essentially doesn't know any microsult.de domains at all. The DC 
is hardcoded into /etc/hosts for both machines, to make it known the 
amd64 client and to provide the desired reverse lookup into 
ad.microsult.de. I joined several machines using the AD DNS, so I'd not 
suspect any major misconfiguration there - it is my production DNS for 
all windows clients already.

I have explicit domain mappings in krb5.conf:
[libdefaults]
         default_realm = MGR
         dns_lookup_realm = false
         dns_lookup_kdc = true
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }
         fcc-mit-ticketflags = true
[realms]
         MGR = {
                 kdc = hel.mgr
                 admin_server = hel.mgr
                 default_domain = mgr
                 kpasswd_server = hel.mgr:464
         }
         AD.MICROSULT.DE = {
                 kdc = samba.ad.microsult.de
                 admin_server = samba.ad.microsult.de
                 default_domain = ad.microsult.de
                 kpasswd_server = samba.ad.microsult.de:464
         }
[domain_realm]
         .mgr = MGR
         mgr = MGR
         .ad.microsult.de = AD.MICROSULT.DE
         ad.microsult.de = AD.MICROSULT.DE
[login]
         krb4_convert = true
         krb4_get_tickets = false

More information about the Kerberos mailing list