Issues getting Kerberos to work with realmd and Active Directory

Wesley Taylor wesley.taylor at numerica.us
Thu Jul 30 13:00:24 EDT 2020


Hi All,

I am trying to get HTCondor with Kerberos authentication (https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication) to work on some linux machines I have which I joined to Windows Active Directory with realmd. HTCondor tries to authenticate with the machine principal, but I am having a hard time figuring out what that is. When I run 'klist -k' I see a bunch of entries from /etc/krb5.keytab along the lines of host/fqdn at REALM. However, when I run 'kinit -k' I get "kinit: Client $(hostname) not found in Kerberos database".

I then interrogated the realm with adcli, using 'adcli testjoin --verbose' and it outputs the computer account name as HOST/HOSTNAME at REALM. When I run 'kinit -k HOST/HOSTNAME at REALM' I get back the error "kinit: Keytab contains no suitible keys for HOST/HOSTNAME at REALM".

I am confused because when I run 'adcli update --verbose' it says it updated the keytab at /etc/krb5.keytab and outputs the same account name (which I am assuming is the principal for the computer) as adcli testjoin. I am really scratching my head about this, what am I doing wrong here?

Thanks,
Wes


Public Content
________________________________
The information contained in this e-mail and any attachments from Numerica Corporation may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.



More information about the Kerberos mailing list