[38530] in Kerberos
Re: Kerberos Linux to AD problem
daemon@ATHENA.MIT.EDU (Rob A)
Mon May  6 09:44:08 2019
MIME-Version: 1.0
In-Reply-To: <1556287515776.73911@blue-yonder.com>
From: Rob A <docsmooth2486@gmail.com>
Date: Mon, 6 May 2019 08:43:29 -0500
Message-ID: <CAMH5BinQh_F+MyDGWD9u3UcTv67dPr8kdUYBqB1kMXW2LOveoQ@mail.gmail.com>
To: Matthias Brenner <matthias.brenner@blue-yonder.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
First, make sure you disabled mdns3 or moved it down the list in your
nsswitch, so that the .local domain will work properly. This is just good
hygiene.
Second, just log in with your AD credentials with sssd and type klist. It
should show the right credentials. Kinit should not be necessary.
Third, try smbclient -k //ka-dc01.example.local/c\$
If that works, then Kerberos is set up right. I'm not sure PS Core supports
Kerberos proudly from Linux yet (they didn't 3 months ago), check github.
--
Robert Auch
via +1-773-655-6834
On Fri, Apr 26, 2019, 09:06 Matthias Brenner <
matthias.brenner@blue-yonder.com> wrote:
> Hi, I try to connect to a windows 2012R2 ad server with powershell
> core from a linux client. I can't use NTLM or ssh, so I have to use
> kerbereos.
>
>
> What I did: I installed a debian8 client and configured
> krb5.conf as followes: (comments and blank lines removed)
>   [logging]
>   default = FILE:/var/log/krb/krb5libs.log
>   kdc = FILE:/var/log/krb/krb5kdc.log
>   admin_server = FILE:/var/log/krb/kadmind.log
>
>
>   [libdefaults]
>     default_realm = EXAMPLE.LOCAL
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
>     renew_lifetime = 7d
>
>
>   [realms]
>     EXAMPLE.LOCAL = {
>         admin_server = ka-dc3.example.local
>         kdc = ka-dc3.example.local
>     }
>
>   [domain_realm]
>     .example.local = EXAMPLE.LOCAL
>
>
> I also configured sssd.conf and smb.conf. After that I did a domain join.
> Now I can see the computer entry in the AD. And I can login
> to the linux client with my AD credentials.
>
>
> But I'm not familiar with kerberos. If I enter the following
> command (all the following commands are entered as root user):
>   kinit -v matthias_admin@EXAMPLE.LOCAL
> I get the following output:
>   Authenticated to Kerberos v5
>
>
> A
>   klist
> results in:
>   Ticket cache: FILE:/tmp/krb5cc_0
>   Default principal: matthias_admin@EXAMPLE.LOCAL
>
>
>   Valid starting       Expires              Service principal
>   25.04.2019 09:24:34  25.04.2019 19:24:34
> krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
>         renew until 02.05.2019 09:24:30
>
>
>
> The howto told me that a
>   kinit -k
> should work, but I got this error message:
>   kinit: Client 'host/debian8.example.local@EXAMPLE.LOCAL' not found in
>   Kerberos database while getting initial credentials
>
>
> A
>   kadmin
> fails with:
>   Authenticating as principal matthias_admin/admin@EXAMPLE.LOCAL with
> password.
>   kadmin: Client not found in Kerberos database while initializing kadmin
>   interface
>
>
> If I enter
>   klist -k
> I get:
>   Keytab name: FILE:/etc/krb5.keytab
>   KVNO Principal
>   ---- --------------------------------------------------------------------
>    2 host/debian8.example.local@EXAMPLE.LOCAL
>    2 host/debian8.example.local@EXAMPLE.LOCAL
>    2 host/debian8.example.local@EXAMPLE.LOCAL
>    2 host/debian8.example.local@EXAMPLE.LOCAL
>    2 host/debian8.example.local@EXAMPLE.LOCAL
>    2 host/debian8@EXAMPLE.LOCAL
>    2 host/debian8@EXAMPLE.LOCAL
>    2 host/debian8@EXAMPLE.LOCAL
>    2 host/debian8@EXAMPLE.LOCAL
>    2 host/debian8@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>
>
> In my opinion my problems with powershell are related to kerberos.
> If I enter the following command in powershell:
>   kinit matthias_admin@EXAMPLE.LOCAL
> followed by:
>   Enter-PSSession -ComputerName ka-dc3.example.local
>      -Authentication Negotiate -Credential matthias_admin@EXAMPLE.LOCAL
> I get this error message:
>   Enter-PSSession : Connecting to remote server ka-dc3.example.local
>   failed with the following error message : Authorization failed
>   Unspecified GSS failure.  Minor code may provide more information
>   Server not found in Kerberos database For more information, see the
>   about_Remote_Troubleshooting Help topic.
>   At line:1 char:1
>   + Enter-PSSession -ComputerName ka-dc3.example.local -Authentication Ne
> ...
>   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   + CategoryInfo          : InvalidArgument: (ka-dc3.example.local:String)
> [Enter-PSSession], PSRemotingTransportException
>   + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
>
>
>
>
> Any help is appreciated!
>
>
> Matthias
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos