[Samba] error trying to authenticate from Linux to AD

Gary Dale gary at extremeground.com
Wed Apr 19 20:58:41 UTC 2023 

On 2023-04-12 15:42, Peter Milesson via samba wrote:
>
>
> On 12.04.2023 21:26, Gary Dale via samba wrote:
>> I'm following the Debian wiki at 
>> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since 
>> it seems to be the only one I can find and since I'm running 
>> Debian/Bookworm on an AMD64 system. I'm in the section "Configure 
>> Kerberos" which is near the start.
>>
>> My /etc/krb5.con file (with most comments removed) is:
>>
>>> # cat /etc/krb5.conf
>>> [logging]
>>>        Default = FILE:/var/log/krb5.log
>>>
>>> [libdefaults]
>>>        default_realm = HOME.RAHIM-DALE.ORG
>>>        ticket_lifetime = 24000
>>>        clock-skew = 300
>>> # The following libdefaults parameters are only for Heimdal Kerberos.
>>>        fcc-mit-ticketflags = true
>>>        rdns = false
>>> [realms]
>>>        HOME.RAHIM-DALE.ORG = {
>>>                kdc = dc1.home.rahim-dale.org
>>>                admin_server = dc1.home.rahom-dale.org
>>>        }
>>>
>>> [domain_realm]
>>>        .rahim-dale.org = HOME.RAHIM-DALE.ORG
>>>        rahim-dale.org = HOME.RAHIM-DALE.ORG
>>>
>> I've also tried it wiht Heimdal Kerberos parameters commented out. It 
>> didn't make any difference. I get the same error. Web searches say 
>> this is usually a result of capitalization errors in the .conf file, 
>> but it seems OK to me.
>>
>>
>>> root at transponder:~# kinit Administrator at home.rahim-dale.org
>>> Password for Administrator at home.rahim-dale.org:
>>> kinit: KDC reply did not match expectations while getting initial 
>>> credentials
>>>
>> The krb5.conf file on the DC is:
>>
>>> [libdefaults]
>>> default_realm = HOME.RAHIM-DALE.ORG
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> [realms]
>>> HOME.RAHIM-DALE.ORG = {
>>> default_domain = home.rahim-dale.org
>>> }
>>>
>>> [domain_realm]
>>> dc1 = HOME.RAHIM-DALE.ORG
>>>
>>
>> Any ideas on what I'm doing wrong?
> HI Gary,
>
> My krb5.conf on the second DC (the one without FSMO roles) has got the 
> entry under [domain_realm] all in upper case, like DC1 = 
> HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but 
> it's just an idea.
>
> On the member server your krb5.conf should just be:
>
> [libdefaults]
>        default_realm = HOME.RAHIM-DALE.ORG
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>
> Best regards,
>
> Peter
>
Trying things on two Linux boxes now: the member server and my 
workstation. Getting the same results on both. I tried your suggested 
shorter krb5.conf file but it didn't change anything.

More information about the samba mailing list