[Samba] error trying to authenticate from Linux to AD
Gary Dale
gary at extremeground.com
Wed Apr 12 20:34:41 UTC 2023
On 2023-04-12 15:42, Peter Milesson via samba wrote:
>
>
> On 12.04.2023 21:26, Gary Dale via samba wrote:
>> I'm following the Debian wiki at
>> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since
>> it seems to be the only one I can find and since I'm running
>> Debian/Bookworm on an AMD64 system. I'm in the section "Configure
>> Kerberos" which is near the start.
>>
>> My /etc/krb5.con file (with most comments removed) is:
>>
>>> # cat /etc/krb5.conf
>>> [logging]
>>> Default = FILE:/var/log/krb5.log
>>>
>>> [libdefaults]
>>> default_realm = HOME.RAHIM-DALE.ORG
>>> ticket_lifetime = 24000
>>> clock-skew = 300
>>> # The following libdefaults parameters are only for Heimdal Kerberos.
>>> fcc-mit-ticketflags = true
>>> rdns = false
>>> [realms]
>>> HOME.RAHIM-DALE.ORG = {
>>> kdc = dc1.home.rahim-dale.org
>>> admin_server = dc1.home.rahom-dale.org
>>> }
>>>
>>> [domain_realm]
>>> .rahim-dale.org = HOME.RAHIM-DALE.ORG
>>> rahim-dale.org = HOME.RAHIM-DALE.ORG
>>>
>> I've also tried it wiht Heimdal Kerberos parameters commented out. It
>> didn't make any difference. I get the same error. Web searches say
>> this is usually a result of capitalization errors in the .conf file,
>> but it seems OK to me.
>>
>>
>>> root at transponder:~# kinit Administrator at home.rahim-dale.org
>>> Password for Administrator at home.rahim-dale.org:
>>> kinit: KDC reply did not match expectations while getting initial
>>> credentials
>>>
>> The krb5.conf file on the DC is:
>>
>>> [libdefaults]
>>> default_realm = HOME.RAHIM-DALE.ORG
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> [realms]
>>> HOME.RAHIM-DALE.ORG = {
>>> default_domain = home.rahim-dale.org
>>> }
>>>
>>> [domain_realm]
>>> dc1 = HOME.RAHIM-DALE.ORG
>>>
>>
>> Any ideas on what I'm doing wrong?
> HI Gary,
>
> My krb5.conf on the second DC (the one without FSMO roles) has got the
> entry under [domain_realm] all in upper case, like DC1 =
> HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but
> it's just an idea.
>
> On the member server your krb5.conf should just be:
>
> [libdefaults]
> default_realm = HOME.RAHIM-DALE.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Best regards,
>
> Peter
>
I've tried it both ways (dc1 and DC1) and get the same result. And yes,
I did restart the krb5-admin-server in between.
More information about the samba
mailing list