[Samba] error trying to authenticate from Linux to AD
Gary Dale
gary at extremeground.com
Wed Apr 19 22:31:31 UTC 2023
On 2023-04-12 15:26, Gary Dale via samba wrote:
> I'm following the Debian wiki at
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since
> it seems to be the only one I can find and since I'm running
> Debian/Bookworm on an AMD64 system. I'm in the section "Configure
> Kerberos" which is near the start.
>
>
I realize that it's not entirely clear whether the above wiki is
referring to the workstation or server in its instructions. I've been
assuming that it is referring to the workstation being set up to
authenticate with AD and that, as per the Samba Wiki at
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Configuring_Kerberos,
the server's Kerberos configuration should be OK.
The AD server's krb5.conf file is:
[libdefaults]
default_realm = HOME.RAHIM-DALE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
HOME.RAHIM-DALE.ORG = {
default_domain = home.rahim-dale.org
}
[domain_realm]
dc1 = HOME.RAHIM-DALE.ORG
Further down in the Samba wiki there are tests for verifying Kerberos.
Here is the output from those tests:
garydale at DC1:~$ kinit administrator
Password for administrator at HOME.RAHIM-DALE.ORG:
garydale at DC1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at HOME.RAHIM-DALE.ORG
Valid starting Expires Service principal
2023-04-19 18:07:20 2023-04-20 04:07:20
krbtgt/HOME.RAHIM-DALE.ORG at HOME.RAHIM-DALE.ORG
renew until 2023-04-20 18:07:14
This leads me to believe that the DC1 AD setup is correct so far as
Kerberos is concerned.
Following Peter's example for a member server, I used this as my
/etc/krb5.conf file:
[libdefaults]
# ticket_lifetime = 24000
# clock-skew = 300
default_realm = HOME.RAHIM-DALE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
However when I run the workstation configuration test from the Debian
wiki, I get:
root at TheLibrarian:/var/log# kinit Administrator at home.rahim-dale.org
Password for Administrator at home.rahim-dale.org:
kinit: KDC reply did not match expectations while getting initial
credentials
This is the same error I get with all the other /etc/krb5.conf files
I've tried.
At this point I am not trying to authenticate against AD - I'm just
testing Kerberos. AFAIK, pam doesn't even enter the picture. The kinit
command should just be requesting a ticket from the kerberos server
(dc1.home.rahim-dale.org).
For completeness, here's the /etc/krb45.conf on my workstation:
[libdefaults]
ticket_lifetime = 24000
clock-skew = 300
default_realm = HOME.RAHIM-DALE.ORG
[realms]
HOME.RAHIM-DALE.ORG = {
kdc = dc1.home.rahim-dale.org
admin_server = dc1.home.rahom-dale.org
default_domain = home.rarhim-dale.org
}
[domain_realm]
.rahim-dale.org = HOME.RAHIM-DALE.ORG
rahim-dale.org = HOME.RAHIM-DALE.ORG
but the same test returns the same results:
root at transponder:~# kinit Administrator at home.rahim-dale.org
Password for Administrator at home.rahim-dale.org:
kinit: KDC reply did not match expectations while getting initial
credentials
Can anyone suggest a fix to what is going wrong?
Thanks.
More information about the samba
mailing list