[Samba] error trying to authenticate from Linux to AD

Peter Milesson miles at atmos.eu
Wed Apr 12 19:42:57 UTC 2023 


On 12.04.2023 21:26, Gary Dale via samba wrote:
> I'm following the Debian wiki at 
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since 
> it seems to be the only one I can find and since I'm running 
> Debian/Bookworm on an AMD64 system. I'm in the section "Configure 
> Kerberos" which is near the start.
>
> My /etc/krb5.con file (with most comments removed) is:
>
>> # cat /etc/krb5.conf
>> [logging]
>>        Default = FILE:/var/log/krb5.log
>>
>> [libdefaults]
>>        default_realm = HOME.RAHIM-DALE.ORG
>>        ticket_lifetime = 24000
>>        clock-skew = 300
>> # The following libdefaults parameters are only for Heimdal Kerberos.
>>        fcc-mit-ticketflags = true
>>        rdns = false
>> [realms]
>>        HOME.RAHIM-DALE.ORG = {
>>                kdc = dc1.home.rahim-dale.org
>>                admin_server = dc1.home.rahom-dale.org
>>        }
>>
>> [domain_realm]
>>        .rahim-dale.org = HOME.RAHIM-DALE.ORG
>>        rahim-dale.org = HOME.RAHIM-DALE.ORG
>>
> I've also tried it wiht Heimdal Kerberos parameters commented out. It 
> didn't make any difference. I get the same error. Web searches say 
> this is usually a result of capitalization errors in the .conf file, 
> but it seems OK to me.
>
>
>> root at transponder:~# kinit Administrator at home.rahim-dale.org
>> Password for Administrator at home.rahim-dale.org:
>> kinit: KDC reply did not match expectations while getting initial 
>> credentials
>>
> The krb5.conf file on the DC is:
>
>> [libdefaults]
>> default_realm = HOME.RAHIM-DALE.ORG
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> [realms]
>> HOME.RAHIM-DALE.ORG = {
>> default_domain = home.rahim-dale.org
>> }
>>
>> [domain_realm]
>> dc1 = HOME.RAHIM-DALE.ORG
>>
>
> Any ideas on what I'm doing wrong?
HI Gary,

My krb5.conf on the second DC (the one without FSMO roles) has got the 
entry under [domain_realm] all in upper case, like DC1 = 
HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but 
it's just an idea.

On the member server your krb5.conf should just be:

[libdefaults]
        default_realm = HOME.RAHIM-DALE.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = true

Best regards,

Peter

More information about the samba mailing list