Windows 2003 realm joined

James Hancock 20horizon93 at gmail.com
Thu Mar 20 22:38:03 EDT 2025 

Hello. I am interested in joining a Linux Debian client to an MS AD domain
on Windows 2003. This is very important for me. As I understand it, the
issue is not the removal of single-DES support in version 1.18, but a
change in behavior regarding 2003 GSSAPI and SPNEGO. Could you please
advise what functionality I would need to restore (at my own risk, of
course) so that I can join an MS AD domain on Windows 2003? I have already
spent about a week reading all the commits from version 1.17-final to
1.18.3-final, and I cannot pinpoint from the commits what exactly changed
in Kerberos behavior. I would appreciate your help.

The versions I am interested in are:
krb5 version: 1.18.3 (Debian 11), 1.21.1 (Debian 12), and also krb5 1.19.
The command used is:
sudo realm join ad03.loc -U Administrator --unattended --verbose
--client-software=sssd --membership-software=adcli

klist -e:
klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator at AD03.LOC

Valid starting       Expires              Service principal
21.03.2025 05:37:59  21.03.2025 15:37:59  krbtgt/AD03.LOC at AD03.LOC
        renew until 22.03.2025 05:37:58, Etype (skey, tkt):
DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac

krb5.conf:
~$ sudo cat /etc/krb5.conf
[libdefaults]
    default_realm = AD03.LOC
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true

    rdns = false
    allow_weak_crypto = true
    permitted_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac

[realms]
    AD03.LOC = {
        kdc = ws03.ad03.loc:88
        kdc = ws03.ad03.loc:88
        admin_server = ws03.ad03.loc:749
    }

[domain_realm]
    ad03.loc = AD03.LOC
    .ad03.loc = AD03.LOC

realm log:
 * Authenticated as user: Administrator at AD03.LOC
 ! Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Message stream modified)
adcli: couldn't connect to ad03.loc domain: Couldn't authenticate to active
directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Message stream modified)
 ! Insufficient permissions to join the domain

More information about the Kerberos mailing list