You also do not need to have UPN set up for this to work. Save UPN for some service which
really needs it (like rpc.gssd).
This kind of error usually signals problem in DNS/reverse dns resolution of the client.
Ondrej
________________________________________
From: sssd-users-bounces(a)lists.fedorahosted.org
[sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Jakub Hrozek
[jhrozek(a)redhat.com]
Sent: Wednesday, December 18, 2013 10:35 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] kinit: Client not found in Kerberos database
On Wed, Dec 18, 2013 at 09:42:48AM +0100, Sumit Bose wrote:
On Wed, Dec 18, 2013 at 12:54:37AM +0000, Bryan Harris wrote:
> Hello all,
>
> I was wondering if someone would be able to help me track down where I went wrong
with a 2008 R2 AD > Linux sssd configuration. I am following the guide
"Configuring sssd to authenticate with a Windows 2008 Domain Server" found on
the sssd website on
fedorahosted.org. Here is the link:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate...
>
> I'm at the step where I run kinit -k CLIENT$(a)AD.EXAMPLE.COM. Unfortunately
it's not working for me.
> When I run the command on the client I get this:
> kinit: Client not found in Kerberos database while getting initial credentials
> The Windows server is running Windows 2008 R2, for forest functional level I
selected 2008 R2. The Linux server is running Debian 6.0.8. The version of sssd is
1.2.1-4+squeeze1.
>
> Here is my output from klist -ke :
> root@client:~# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with CRC-32)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with RSA-MD5)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (ArcFour with HMAC/md5)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1
HMAC)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (AES-128 CTS mode with 96-bit SHA-1
HMAC)
You need CLIENT$(a)AD.EXAMPLE.COM in the keytab as well. Any chance you
used -setupn with the ktpass command? If yes, please try without.
btw keytabs that are generated with Samba or realmd should already
contain this principal. In general, I think using Samba or realmd is
even easier and should be recommended.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users