Hello Sumit,
Thanks for your reply! I will comment in-line below.
On Dec 18, 2013, at 02:42 AM, Sumit Bose <sbose(a)redhat.com> wrote:
On Wed, Dec 18, 2013 at 12:54:37AM +0000, Bryan Harris wrote:
root@client:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with CRC-32)
5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with RSA-MD5)
5 host/server.domain.local(a)DOMAIN.LOCAL (ArcFour with HMAC/md5)
5 host/server.domain.local(a)DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC)
5 host/server.domain.local(a)DOMAIN.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC)
You need CLIENT$(a)AD.EXAMPLE.COM in the keytab as well. Any chance you
used -setupn with the ktpass command? If yes, please try without.
Here are the commands I used. Unless it is implied or enabled by default, I did not use
the -setupn (at least not on purpose).
client = sssd Debian server hostname
setspn -A host/client.domain.local(a)DOMAIN.LOCAL client
setspn -L client
ktpass /princ host/client.domain.local(a)DOMAIN.LOCAL /out c:\client-host.keytab /crypto all
/ptype KRB5_NT_PRINCIPAL -desonly /mapuser DOMAIN\client$ /pass *
Also, when I run ktpass I get this message. Just thought I would mention in case it's
important.
WARNING: Account AGEO01VMW03$ is not a user account (uacflags=0x11001).
WARNING: Resetting AGEO01VMW03$'s password may cause authentication problems if
AGEO01VMW03$ is being used as a server.
Bryan
PS - I have the AD server IP address in my resolv.conf (it's the only name server).
Not sure if that matters or not. I can do normal DNS lookups plus I can successfully
lookup things like _kerberos._tcp.domain.local. I can give more DNS details if needed.