On Thu, 24 Nov 2011, Josh Geisser wrote:
Sorry was a bit too fast in replying: first you already documented
the
verification steps (sorry), second I broke it again :)
And I'm back in a state of confusion:
If the keytab is written and krb5.conf is good, I should be able to verify
this with "kinit", not?
Yes.
I re-setup that machine and wanted to rejoin it, so I removed it from
the AD
via Users&Computer and a dead-body entry from the LDAP
(CN=pontus,CN=Computers,DC=example,DC=com).
You can also do "net ads leave" from the machine itself.
Then I did a net ads join which succeeded with keytab generated:
# klist -kte
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- -----------------------------------------------------
2 11/24/11 23:48:24 host/pontus.example.com(a)EXAMPLE.COM (des-cbc-crc)
2 11/24/11 23:48:25 host/pontus.example.com(a)EXAMPLE.COM (des-cbc-md5)
2 11/24/11 23:48:25 host/pontus.example.com(a)EXAMPLE.COM (arcfour-hmac)
2 11/24/11 23:48:25 host/pontus(a)EXAMPLE.COM (des-cbc-crc)
2 11/24/11 23:48:25 host/pontus(a)EXAMPLE.COM (des-cbc-md5)
2 11/24/11 23:48:25 host/pontus(a)EXAMPLE.COM (arcfour-hmac)
2 11/24/11 23:48:25 PONTUS$(a)EXAMPLE.COM (des-cbc-crc)
2 11/24/11 23:48:25 PONTUS$(a)EXAMPLE.COM (des-cbc-md5)
2 11/24/11 23:48:25 PONTUS$(a)EXAMPLE.COM (arcfour-hmac)
Yep, looks normal.
But using this ticket now fails, in sssd and also with kinit, both
with
'cred. not found':
# kinit -V -k -t /etc/krb5.keytab host/pontus.example.com(a)EXAMPLE.COM
Using default cache: /tmp/krb5cc_0
Using principal: host/pontus.example.com(a)EXAMPLE.COM
Using keytab: /etc/krb5.keytab
kinit: Client 'host/pontus.example.com(a)EXAMPLE.COM' not found in Kerberos
database while getting initial credentials
If you do a net ads join without any other parameters, the credential that'll
work is the PONTUS$ cred, not the others.
So "kinit -k PONTUS$" should work.
SSSD: (Thu Nov 24 23:54:03 2011) [[sssd[ldap_child[931]]]]
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
'host/pontus(a)EXAMPLE.COM' not found in Kerberos database
Principal is listed in "klist", but not found by "kinit"? What did I
do wrong this time?
Are you running 1.5 or 1.6? If you're running 1.6 I'd have expected this to
work as long as you'd not specified which principal to use in your sssd.conf.
If you're running 1.5, you should be specifying to use the PONTUS$ cred.
Entries in the keytab can be userPrincipals or servicePrincipals. A service
pricipal is basically a receptor, and you can't generate a TGT from it (which
is what kinit does). When you join to AD to can control what userPrincipal is
created. AFAIK HOSTNAME$ is always a user principal, but you can also make
one other a user principal using createupn=blah.
jh