Hello all,

I wasn't sure who to reply to so here goes.  I have tried an alternative method of kinit arguments, and received a ticket back this time.  I just wanted to mention it and show the output, even though it seems now that I may want to use the Samba tools to do these steps anyway.

Here it is, sanitized.

client = Linux Debian sssd client
domain.local is the AD domain

kinit -k 'host/client.domain.local@DOMAIN.LOCAL'
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/client.domain.local@DOMAIN.LOCAL

Valid starting     Expires            Service principal
12/18/13 17:06:16  12/19/13 03:06:14  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
        renew until 12/25/13 17:06:16


Bryan

On Dec 17, 2013, at 06:54 PM, Bryan Harris <bryanlharris@me.com> wrote:

Hello all,

I was wondering if someone would be able to help me track down where I went wrong with a 2008 R2 AD > Linux sssd configuration.  I am following the guide "Configuring sssd to authenticate with a Windows 2008 Domain Server" found on the sssd website on fedorahosted.org.  Here is the link: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

I'm at the step where I run kinit -k CLIENT$@AD.EXAMPLE.COM.  Unfortunately it's not working for me.
When I run the command on the client I get this:
kinit: Client not found in Kerberos database while getting initial credentials
The Windows server is running Windows 2008 R2, for forest functional level I selected 2008 R2.  The Linux server is running Debian 6.0.8.  The version of sssd is 1.2.1-4+squeeze1.

Here is my output from klist -ke :
root@client:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/server.domain.local@DOMAIN.LOCAL (DES cbc mode with CRC-32)
   5 host/server.domain.local@DOMAIN.LOCAL (DES cbc mode with RSA-MD5)
   5 host/server.domain.local@DOMAIN.LOCAL (ArcFour with HMAC/md5)
   5 host/server.domain.local@DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   5 host/server.domain.local@DOMAIN.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC)


I had a similar problem a while back, and I even mailed the list for help. In that case however, I was able to get things to work by simply re-running the setspn and ktpass commands.  However, that workaround is not fixing the issue this time.

Any help would be greatly appreciated.
Bryan
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users