Hey,
I recently started trying to authenticate my linux clients using
Here's the main guide I'm following: https://social.technet.microsoft.co...keytabs-to-integrate-non-windows-systems.aspx
It seems to work OK, but I'm noticing I have some unpredictable behavior when applying the keytab in Linux. I have two clients I'm trying to authenticate, one Debian Bullseye, one Ubuntu 20.04 LTS. Here's an example of my kerberos keytab generation (on AD-connected Windows server 2019):
I can make this keytab changing nothing but the hostname for each of the two clients, and kinit will work on one client, but not the other.
Here's an eample:
This disparity is happening despite both the clients having the same packages installed and same following config files, with nothing different between the two hosts changed except for self-describing hostnames in those that require it.:
Here's a diff of the package versions:
I'm really hoping someone with more experience doing this can give me a hint as to why
Thanks
I recently started trying to authenticate my linux clients using
ktpass
on an AD-connected Windows client to generate a kerberos keytab for use in linux.Here's the main guide I'm following: https://social.technet.microsoft.co...keytabs-to-integrate-non-windows-systems.aspx
It seems to work OK, but I'm noticing I have some unpredictable behavior when applying the keytab in Linux. I have two clients I'm trying to authenticate, one Debian Bullseye, one Ubuntu 20.04 LTS. Here's an example of my kerberos keytab generation (on AD-connected Windows server 2019):
Bash:
ktpass -out debianclient.keytab -mapUser administrator@DOMAIN.COM -pass password -mapOp set +DumpSalt -crypto all -ptype KRB5_NT_PRINCIPAL -princ LDAP/debianclient.DOMAIN.COM@DOMAIN.COM
Here's an eample:
Code:
# on debianclient - works
[root@debianclient]~/ # klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
33 12/31/1969 16:00:00 LDAP/debianclient.domain.com@DOMAIN.COM (aes256-cts-hmac-sha1-96)
[root@debianclient]~/ # kinit -Vkt /etc/krb5.keytab LDAP/debianclient.domain.com@DOMAIN.COM
Using default cache: persistent:0:0
Using principal: LDAP/debianclient.domain.com@DOMAIN.COM
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5
# on ubuntuclient - doesn't work
[root@ubuntuclient]~/ # klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
34 12/31/1969 16:00:00 LDAP/ubuntuclient.DOMAIN.COM@DOMAIN.COM (aes256-cts-hmac-sha1-96)
[root@ubuntuclient]~/ # kinit -Vkt /etc/krb5.keytab LDAP/ubuntuclient.DOMAIN.COM@DOMAIN.COM
Using default cache: persistent:0:0
Using principal: LDAP/ubuntuclient.domain.com@DOMAIN.COM
Using keytab: /etc/krb5.keytab
kinit: Client 'LDAP/ubuntuclient.domain.com@DOMAIN.COM' not found in Kerberos database while getting initial credentials
Code:
# Packages:
dpkg --get-selections | egrep 'sssd|winbind|samba|krb5' | sed 's:install$::'
krb5-config
krb5-locales
krb5-user
libgssapi-krb5-2:amd64
libkrb5-26-heimdal:amd64
libkrb5-3:amd64
libkrb5support0:amd64
libnss-winbind:amd64
libpam-winbind:amd64
python3-samba
samba
samba-common
samba-common-bin
samba-dsdb-modules:amd64
samba-libs:amd64
samba-vfs-modules:amd64
sssd
sssd-ad
sssd-ad-common
sssd-common
sssd-ipa
sssd-krb5
sssd-krb5-common
sssd-ldap
sssd-proxy
sssd-tools
winbind
# .conf files
/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf
/etc/krb5.conf
/etc/samba/smb.conf
/usr/lib/realmd/realmd-defaults.conf
/usr/lib/realmd/realmd-distro.conf
/etc/security/pam_winbind.conf
Code:
# debianclient = left, ubuntuclient = right
]krb5-config 2.6+nmu1 | krb5-config 2.6ubuntu1
krb5-locales 1.18.3-4 | krb5-locales 1.17-6ubuntu4.1
krb5-user 1.18.3-4 | krb5-user 1.17-6ubuntu4.1
libgssapi-krb5-2:amd64 1.18.3-4 | libgssapi-krb5-2:amd64 1.17-6ubuntu4.1
libkrb5-26-heimdal:amd64 7.7.0+dfsg-2 | libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1
libkrb5-3:amd64 1.18.3-4 | libkrb5-3:amd64 1.17-6ubuntu4.1
libkrb5support0:amd64 1.18.3-4 | libkrb5support0:amd64 1.17-6ubuntu4.1
libnss-winbind:amd64 2:4.13.5+dfsg-1 | libnss-winbind:amd64 2:4.11.6+dfsg-0ubuntu1.6
libpam-winbind:amd64 2:4.13.5+dfsg-1 | libpam-winbind:amd64 2:4.11.6+dfsg-0ubuntu1.6
python3-samba 2:4.13.5+dfsg-1 | python3-samba 2:4.11.6+dfsg-0ubuntu1.6
samba 2:4.13.5+dfsg-1 | samba 2:4.11.6+dfsg-0ubuntu1.6
samba-common 2:4.13.5+dfsg-1 | samba-common 2:4.11.6+dfsg-0ubuntu1.6
samba-common-bin 2:4.13.5+dfsg-1 | samba-common-bin 2:4.11.6+dfsg-0ubuntu1.6
samba-dsdb-modules:amd64 2:4.13.5+dfsg-1 | samba-dsdb-modules:amd64 2:4.11.6+dfsg-0ubuntu1.6
samba-libs:amd64 2:4.13.5+dfsg-1 | samba-libs:amd64 2:4.11.6+dfsg-0ubuntu1.6
samba-vfs-modules:amd64 2:4.13.5+dfsg-1 | samba-vfs-modules:amd64 2:4.11.6+dfsg-0ubuntu1.6
sssd 2.4.1-2 | sssd 2.2.3-3ubuntu0.4
sssd-ad 2.4.1-2 | sssd-ad 2.2.3-3ubuntu0.4
sssd-ad-common 2.4.1-2 | sssd-ad-common 2.2.3-3ubuntu0.4
sssd-common 2.4.1-2 | sssd-common 2.2.3-3ubuntu0.4
sssd-ipa 2.4.1-2 | sssd-ipa 2.2.3-3ubuntu0.4
sssd-krb5 2.4.1-2 | sssd-krb5 2.2.3-3ubuntu0.4
sssd-krb5-common 2.4.1-2 | sssd-krb5-common 2.2.3-3ubuntu0.4
sssd-ldap 2.4.1-2 | sssd-ldap 2.2.3-3ubuntu0.4
sssd-proxy 2.4.1-2 | sssd-proxy 2.2.3-3ubuntu0.4
sssd-tools 2.4.1-2 | sssd-tools 2.2.3-3ubuntu0.4
winbind 2:4.13.5+dfsg-1 | winbind 2:4.11.6+dfsg-0ubuntu1.6
I'm really hoping someone with more experience doing this can give me a hint as to why
kinit
will work on one host but not the other!Thanks
Last edited: