[38525] in Kerberos
Kerberos Linux to AD problem
daemon@ATHENA.MIT.EDU (Matthias Brenner)
Fri Apr 26 10:06:09 2019
From: Matthias Brenner <matthias.brenner@blue-yonder.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 26 Apr 2019 14:05:14 +0000
Message-ID: <1556287515776.73911@blue-yonder.com>
Content-Language: de-DE
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi, I try to connect to a windows 2012R2 ad server with powershell
core from a linux client. I can't use NTLM or ssh, so I have to use
kerbereos.
What I did: I installed a debian8 client and configured
krb5.conf as followes: (comments and blank lines removed)
[logging]
default = FILE:/var/log/krb/krb5libs.log
kdc = FILE:/var/log/krb/krb5kdc.log
admin_server = FILE:/var/log/krb/kadmind.log
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
renew_lifetime = 7d
[realms]
EXAMPLE.LOCAL = {
admin_server = ka-dc3.example.local
kdc = ka-dc3.example.local
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
I also configured sssd.conf and smb.conf. After that I did a domain join.
Now I can see the computer entry in the AD. And I can login
to the linux client with my AD credentials.
But I'm not familiar with kerberos. If I enter the following
command (all the following commands are entered as root user):
kinit -v matthias_admin@EXAMPLE.LOCAL
I get the following output:
Authenticated to Kerberos v5
A
klist
results in:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: matthias_admin@EXAMPLE.LOCAL
Valid starting Expires Service principal
25.04.2019 09:24:34 25.04.2019 19:24:34 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
renew until 02.05.2019 09:24:30
The howto told me that a
kinit -k
should work, but I got this error message:
kinit: Client 'host/debian8.example.local@EXAMPLE.LOCAL' not found in
Kerberos database while getting initial credentials
A
kadmin
fails with:
Authenticating as principal matthias_admin/admin@EXAMPLE.LOCAL with password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface
If I enter
klist -k
I get:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------
2 host/debian8.example.local@EXAMPLE.LOCAL
2 host/debian8.example.local@EXAMPLE.LOCAL
2 host/debian8.example.local@EXAMPLE.LOCAL
2 host/debian8.example.local@EXAMPLE.LOCAL
2 host/debian8.example.local@EXAMPLE.LOCAL
2 host/debian8@EXAMPLE.LOCAL
2 host/debian8@EXAMPLE.LOCAL
2 host/debian8@EXAMPLE.LOCAL
2 host/debian8@EXAMPLE.LOCAL
2 host/debian8@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
2 DEBIAN8$@EXAMPLE.LOCAL
In my opinion my problems with powershell are related to kerberos.
If I enter the following command in powershell:
kinit matthias_admin@EXAMPLE.LOCAL
followed by:
Enter-PSSession -ComputerName ka-dc3.example.local
-Authentication Negotiate -Credential matthias_admin@EXAMPLE.LOCAL
I get this error message:
Enter-PSSession : Connecting to remote server ka-dc3.example.local
failed with the following error message : Authorization failed
Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database For more information, see the
about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName ka-dc3.example.local -Authentication Ne ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (ka-dc3.example.local:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Any help is appreciated!
Matthias
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos