Kerberos Linux to AD problem

Rob A docsmooth2486 at gmail.com
Mon May 6 09:43:29 EDT 2019


First, make sure you disabled mdns3 or moved it down the list in your
nsswitch, so that the .local domain will work properly. This is just good
hygiene.

Second, just log in with your AD credentials with sssd and type klist. It
should show the right credentials. Kinit should not be necessary.

Third, try smbclient -k //ka-dc01.example.local/c\$

If that works, then Kerberos is set up right. I'm not sure PS Core supports
Kerberos proudly from Linux yet (they didn't 3 months ago), check github.

--
Robert Auch
via +1-773-655-6834


On Fri, Apr 26, 2019, 09:06 Matthias Brenner <
matthias.brenner at blue-yonder.com> wrote:

> Hi, I try to connect to a windows 2012R2 ad server with powershell
> core from a linux client. I can't use NTLM or ssh, so I have to use
> kerbereos.
>
>
> What I did: I installed a debian8 client and configured
> krb5.conf as followes: (comments and blank lines removed)
>   [logging]
>   default = FILE:/var/log/krb/krb5libs.log
>   kdc = FILE:/var/log/krb/krb5kdc.log
>   admin_server = FILE:/var/log/krb/kadmind.log
>
>
>   [libdefaults]
>     default_realm = EXAMPLE.LOCAL
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
>     renew_lifetime = 7d
>
>
>   [realms]
>     EXAMPLE.LOCAL = {
>         admin_server = ka-dc3.example.local
>         kdc = ka-dc3.example.local
>     }
>
>   [domain_realm]
>     .example.local = EXAMPLE.LOCAL
>
>
> I also configured sssd.conf and smb.conf. After that I did a domain join.
> Now I can see the computer entry in the AD. And I can login
> to the linux client with my AD credentials.
>
>
> But I'm not familiar with kerberos. If I enter the following
> command (all the following commands are entered as root user):
>   kinit -v matthias_admin at EXAMPLE.LOCAL
> I get the following output:
>   Authenticated to Kerberos v5
>
>
> A
>   klist
> results in:
>   Ticket cache: FILE:/tmp/krb5cc_0
>   Default principal: matthias_admin at EXAMPLE.LOCAL
>
>
>   Valid starting       Expires              Service principal
>   25.04.2019 09:24:34  25.04.2019 19:24:34
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
>         renew until 02.05.2019 09:24:30
>
>
>
> The howto told me that a
>   kinit -k
> should work, but I got this error message:
>   kinit: Client 'host/debian8.example.local at EXAMPLE.LOCAL' not found in
>   Kerberos database while getting initial credentials
>
>
> A
>   kadmin
> fails with:
>   Authenticating as principal matthias_admin/admin at EXAMPLE.LOCAL with
> password.
>   kadmin: Client not found in Kerberos database while initializing kadmin
>   interface
>
>
> If I enter
>   klist -k
> I get:
>   Keytab name: FILE:/etc/krb5.keytab
>   KVNO Principal
>   ---- --------------------------------------------------------------------
>    2 host/debian8.example.local at EXAMPLE.LOCAL
>    2 host/debian8.example.local at EXAMPLE.LOCAL
>    2 host/debian8.example.local at EXAMPLE.LOCAL
>    2 host/debian8.example.local at EXAMPLE.LOCAL
>    2 host/debian8.example.local at EXAMPLE.LOCAL
>    2 host/debian8 at EXAMPLE.LOCAL
>    2 host/debian8 at EXAMPLE.LOCAL
>    2 host/debian8 at EXAMPLE.LOCAL
>    2 host/debian8 at EXAMPLE.LOCAL
>    2 host/debian8 at EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>
>
> In my opinion my problems with powershell are related to kerberos.
> If I enter the following command in powershell:
>   kinit matthias_admin at EXAMPLE.LOCAL
> followed by:
>   Enter-PSSession -ComputerName ka-dc3.example.local
>      -Authentication Negotiate -Credential matthias_admin at EXAMPLE.LOCAL
> I get this error message:
>   Enter-PSSession : Connecting to remote server ka-dc3.example.local
>   failed with the following error message : Authorization failed
>   Unspecified GSS failure.  Minor code may provide more information
>   Server not found in Kerberos database For more information, see the
>   about_Remote_Troubleshooting Help topic.
>   At line:1 char:1
>   + Enter-PSSession -ComputerName ka-dc3.example.local -Authentication Ne
> ...
>   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   + CategoryInfo          : InvalidArgument: (ka-dc3.example.local:String)
> [Enter-PSSession], PSRemotingTransportException
>   + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
>
>
>
>
> Any help is appreciated!
>
>
> Matthias
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list