On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor <wesley.taylor(a)numerica.us> wrote:
I have a program I am trying to set up which tries to authenticate
with the principal host\machine-FQDN@REALM using Kerberos.
However, when I run kinit -k, the machine isn't found in the Kerberos
database.
"kinit -k" (with no arguments) defaults to attempting to obtain a TGT
for (e.g.) host/mymachine.example.org(a)EXAMPLE.ORG, which only works if
you set userPrincipalName to host/mymachine.example.org(a)EXAMPLE.ORG
when you joined the host to Active Directory.
Running "kinit -k MYMACHINE\$" (that is, using the value of the
sAMAccountName attribute as the argument to "kinit -k") should always
work.
From what I have read, SSSD is responsible for being the glue
between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which
Active Directory uses).
This has nothing to do with sssd; it's all about setting
userPrincipalName correctly when you join the host to AD if you want
"kinit -k" (with no arguments) to work.