Kerberos Linux to AD problem
Matthias Brenner
matthias.brenner at blue-yonder.com
Fri Apr 26 10:05:14 EDT 2019
Hi, I try to connect to a windows 2012R2 ad server with powershell
core from a linux client. I can't use NTLM or ssh, so I have to use
kerbereos.
What I did: I installed a debian8 client and configured
krb5.conf as followes: (comments and blank lines removed)
[logging]
default = FILE:/var/log/krb/krb5libs.log
kdc = FILE:/var/log/krb/krb5kdc.log
admin_server = FILE:/var/log/krb/kadmind.log
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
renew_lifetime = 7d
[realms]
EXAMPLE.LOCAL = {
admin_server = ka-dc3.example.local
kdc = ka-dc3.example.local
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
I also configured sssd.conf and smb.conf. After that I did a domain join.
Now I can see the computer entry in the AD. And I can login
to the linux client with my AD credentials.
But I'm not familiar with kerberos. If I enter the following
command (all the following commands are entered as root user):
kinit -v matthias_admin at EXAMPLE.LOCAL
I get the following output:
Authenticated to Kerberos v5
A
klist
results in:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: matthias_admin at EXAMPLE.LOCAL
Valid starting Expires Service principal
25.04.2019 09:24:34 25.04.2019 19:24:34 krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
renew until 02.05.2019 09:24:30
The howto told me that a
kinit -k
should work, but I got this error message:
kinit: Client 'host/debian8.example.local at EXAMPLE.LOCAL' not found in
Kerberos database while getting initial credentials
A
kadmin
fails with:
Authenticating as principal matthias_admin/admin at EXAMPLE.LOCAL with password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface
If I enter
klist -k
I get:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------
2 host/debian8.example.local at EXAMPLE.LOCAL
2 host/debian8.example.local at EXAMPLE.LOCAL
2 host/debian8.example.local at EXAMPLE.LOCAL
2 host/debian8.example.local at EXAMPLE.LOCAL
2 host/debian8.example.local at EXAMPLE.LOCAL
2 host/debian8 at EXAMPLE.LOCAL
2 host/debian8 at EXAMPLE.LOCAL
2 host/debian8 at EXAMPLE.LOCAL
2 host/debian8 at EXAMPLE.LOCAL
2 host/debian8 at EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
In my opinion my problems with powershell are related to kerberos.
If I enter the following command in powershell:
kinit matthias_admin at EXAMPLE.LOCAL
followed by:
Enter-PSSession -ComputerName ka-dc3.example.local
-Authentication Negotiate -Credential matthias_admin at EXAMPLE.LOCAL
I get this error message:
Enter-PSSession : Connecting to remote server ka-dc3.example.local
failed with the following error message : Authorization failed
Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName ka-dc3.example.local -Authentication Ne ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (ka-dc3.example.local:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Any help is appreciated!
Matthias
More information about the Kerberos
mailing list