On Wed, Dec 18, 2013 at 09:42:48AM +0100, Sumit Bose wrote:
On Wed, Dec 18, 2013 at 12:54:37AM +0000, Bryan Harris wrote:
> Hello all,
>
> I was wondering if someone would be able to help me track down where I went wrong
with a 2008 R2 AD > Linux sssd configuration. I am following the guide
"Configuring sssd to authenticate with a Windows 2008 Domain Server" found on
the sssd website on
fedorahosted.org. Here is the
link: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authen...
>
> I'm at the step where I run kinit -k CLIENT$(a)AD.EXAMPLE.COM. Unfortunately
it's not working for me.
> When I run the command on the client I get this:
> kinit: Client not found in Kerberos database while getting initial credentials
> The Windows server is running Windows 2008 R2, for forest functional level I
selected 2008 R2. The Linux server is running Debian 6.0.8. The version of sssd
is 1.2.1-4+squeeze1.
>
> Here is my output from klist -ke :
> root@client:~# klist -ke
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with CRC-32)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with RSA-MD5)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (ArcFour with HMAC/md5)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1
HMAC)
> 5 host/server.domain.local(a)DOMAIN.LOCAL (AES-128 CTS mode with 96-bit SHA-1
HMAC)
You need CLIENT$(a)AD.EXAMPLE.COM in the keytab as well. Any chance you
used -setupn with the ktpass command? If yes, please try without.
btw keytabs that are generated with Samba or realmd should already
contain this principal. In general, I think using Samba or realmd is
even easier and should be recommended.