[Samba] Samba AD Trust and Linux Clients Failing with Kerberos

[Sebastian Lisic]

Hi everyone,

I've been trying for a week to get my Linux clients to work with a Samba AD trust and would appreciate any help.

I have two active directory domains: DOMAIN.COM and SUB.DOMAIN.COM

On each are a Samba 4.10.10 DC. There exists a two way forest trust between the two.

The two DCs can talk to one another, but the clients on each cannot (so clients need to talk through their own domain's DC).

I can join/log into a Windows 10 or Server 2019 machine on SUB.DOMAIN.COM with an admin/user account from DOMAIN.COM with no issue.

Linux machines on SUB.DOMAIN.COM however, cannot access anything on DOMAIN.COM. Just trying to get a Kerberos ticket via kinit USER at DOMAIN.COM<mailto:USER at DOMAIN.COM> fails.

[root at client.SUB.DOMAIN.COM /]# KRB5_TRACE=/dev/stdout kinit user at DOMAIN.COM
[1221] 1576265136.982936: Getting initial credentials for user at DOMAIN.COM
[1221] 1576265136.982938: Sending unauthenticated request
[1221] 1576265136.982939: Sending request (196 bytes) to DOMAIN.COM
[1221] 1576265137.5412: Retrying AS request with master KDC
[1221] 1576265137.5413: Getting initial credentials for user at DOMAIN.COM
[1221] 1576265137.5415: Sending unauthenticated request
[1221] 1576265137.5416: Sending request (196 bytes) to DOMAIN.COM (master)
kinit: Cannot find KDC for realm "DOMAIN.COM " while getting initial credentials

I've tried numerous krb5.conf settings, but most of the time they fail like the above. SUB.DOMAIN.COM works fine, but anything sent to DOMAIN.COM fails. How do I configure Kerberos to route tickets through the DC of SUB.DOMAIN.COM?

Here is one of my attempted krb5.conf files:
[libdefaults]
default_realm = SUB.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
SUB.DOMAIN.COM = {
}
DOMAIN.COM = {
}

[domain_realm]
.sub.domain.com = SUB.DOMAIN.COM
sub.domain.com = SUB.DOMAIN.COM

[capaths]
SUB.DOMAIN.COM = {
  DOMAIN.COM = .
}