I'm following the Debian wiki at https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since it seems to be the only one I can find and since I'm running Debian/Bookworm on an AMD64 system. I'm in the section "Configure Kerberos" which is near the start. My /etc/krb5.con file (with most comments removed) is:> # cat /etc/krb5.conf > [logging] > ???????Default = FILE:/var/log/krb5.log > > [libdefaults] > ???????default_realm = HOME.RAHIM-DALE.ORG > ???????ticket_lifetime = 24000 > ???????clock-skew = 300 > # The following libdefaults parameters are only for Heimdal Kerberos. > ???????fcc-mit-ticketflags = true > ?????? rdns = false > [realms] > ???????HOME.RAHIM-DALE.ORG = { > ???????????????kdc = dc1.home.rahim-dale.org > ???????????????admin_server = dc1.home.rahom-dale.org > ???????} > > [domain_realm] > ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG > ???????rahim-dale.org = HOME.RAHIM-DALE.ORG >I've also tried it wiht Heimdal Kerberos parameters commented out. It didn't make any difference. I get the same error. Web searches say this is usually a result of capitalization errors in the .conf file, but it seems OK to me.> root at transponder:~# kinit Administrator at home.rahim-dale.org > Password for Administrator at home.rahim-dale.org: > kinit: KDC reply did not match expectations while getting initial > credentials >The krb5.conf file on the DC is:> [libdefaults] > default_realm = HOME.RAHIM-DALE.ORG > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > HOME.RAHIM-DALE.ORG = { > default_domain = home.rahim-dale.org > } > > [domain_realm] > dc1 = HOME.RAHIM-DALE.ORG >Any ideas on what I'm doing wrong?
On 12/04/2023 20:26, Gary Dale via samba wrote:> I'm following the Debian wiki at > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since it > seems to be the only one I can find and since I'm running > Debian/Bookworm on an AMD64 system. I'm in the section "Configure > Kerberos" which is near the start. >That page is extremely out of date, do not, I repeat, do not follow the sample smb.conf Rowland
Peter Milesson
2023-Apr-12  19:42 UTC
[Samba] error trying to authenticate from Linux to AD
On 12.04.2023 21:26, Gary Dale via samba wrote:> I'm following the Debian wiki at > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since > it seems to be the only one I can find and since I'm running > Debian/Bookworm on an AMD64 system. I'm in the section "Configure > Kerberos" which is near the start. > > My /etc/krb5.con file (with most comments removed) is: > >> # cat /etc/krb5.conf >> [logging] >> ???????Default = FILE:/var/log/krb5.log >> >> [libdefaults] >> ???????default_realm = HOME.RAHIM-DALE.ORG >> ???????ticket_lifetime = 24000 >> ???????clock-skew = 300 >> # The following libdefaults parameters are only for Heimdal Kerberos. >> ???????fcc-mit-ticketflags = true >> ?????? rdns = false >> [realms] >> ???????HOME.RAHIM-DALE.ORG = { >> ???????????????kdc = dc1.home.rahim-dale.org >> ???????????????admin_server = dc1.home.rahom-dale.org >> ???????} >> >> [domain_realm] >> ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG >> ???????rahim-dale.org = HOME.RAHIM-DALE.ORG >> > I've also tried it wiht Heimdal Kerberos parameters commented out. It > didn't make any difference. I get the same error. Web searches say > this is usually a result of capitalization errors in the .conf file, > but it seems OK to me. > > >> root at transponder:~# kinit Administrator at home.rahim-dale.org >> Password for Administrator at home.rahim-dale.org: >> kinit: KDC reply did not match expectations while getting initial >> credentials >> > The krb5.conf file on the DC is: > >> [libdefaults] >> default_realm = HOME.RAHIM-DALE.ORG >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> [realms] >> HOME.RAHIM-DALE.ORG = { >> default_domain = home.rahim-dale.org >> } >> >> [domain_realm] >> dc1 = HOME.RAHIM-DALE.ORG >> > > Any ideas on what I'm doing wrong?HI Gary, My krb5.conf on the second DC (the one without FSMO roles) has got the entry under [domain_realm] all in upper case, like DC1 = HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but it's just an idea. On the member server your krb5.conf should just be: [libdefaults] ???????default_realm = HOME.RAHIM-DALE.ORG ?????? dns_lookup_realm = false ?????? dns_lookup_kdc = true Best regards, Peter
Christian Naumer
2023-Apr-13  04:58 UTC
[Samba] error trying to authenticate from Linux to AD
Am 12.04.23 um 21:26 schrieb Gary Dale via samba:> Any ideas on what I'm doing wrong?What is the domain name and hostname of your system? Is that the same as the realm? Also you mentioned in another thread that you have a domain member server? In principle this is what you are trying to setup here. Does Kerberos work there? Regards Christian
Christian Naumer
2023-Apr-13  05:35 UTC
[Samba] error trying to authenticate from Linux to AD
Am 12.04.23 um 21:26 schrieb Gary Dale via samba:> Any ideas on what I'm doing wrong?In you other thread you say: "Thanks Rowland. I was pretty sure it's a DNS issue as the various tests suggested in https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration fail. However my resolv.conf and hosts files were already as you suggested. I am using systemd networkd, if that makes any difference. " Those tests need to pass before Kerberos works! Regards Christian
On 2023-04-12 15:26, Gary Dale via samba wrote:> I'm following the Debian wiki at > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since > it seems to be the only one I can find and since I'm running > Debian/Bookworm on an AMD64 system. I'm in the section "Configure > Kerberos" which is near the start. > >I realize that it's not entirely clear whether the above wiki is referring to the workstation or server in its instructions. I've been assuming that it is referring to the workstation being set up to authenticate with AD and that, as per the Samba Wiki at https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Configuring_Kerberos, the server's Kerberos configuration should be OK. The AD server's krb5.conf file is: [libdefaults] default_realm = HOME.RAHIM-DALE.ORG dns_lookup_realm = false dns_lookup_kdc = true [realms] HOME.RAHIM-DALE.ORG = { default_domain = home.rahim-dale.org } [domain_realm] dc1 = HOME.RAHIM-DALE.ORG Further down in the Samba wiki there are tests for verifying Kerberos. Here is the output from those tests: garydale at DC1:~$ kinit administrator Password for administrator at HOME.RAHIM-DALE.ORG: garydale at DC1:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administrator at HOME.RAHIM-DALE.ORG Valid starting?????? Expires????????????? Service principal 2023-04-19 18:07:20? 2023-04-20 04:07:20 krbtgt/HOME.RAHIM-DALE.ORG at HOME.RAHIM-DALE.ORG ??????? renew until 2023-04-20 18:07:14 This leads me to believe that the DC1 AD setup is correct so far as Kerberos is concerned. Following Peter's example for a member server, I used this as my /etc/krb5.conf file: [libdefaults] # ???????ticket_lifetime = 24000 # ???????clock-skew = 300 default_realm = HOME.RAHIM-DALE.ORG dns_lookup_realm = false dns_lookup_kdc = true However when I run the workstation configuration test from the Debian wiki, I get: root at TheLibrarian:/var/log# kinit Administrator at home.rahim-dale.org Password for Administrator at home.rahim-dale.org: kinit: KDC reply did not match expectations while getting initial credentials This is the same error I get with all the other /etc/krb5.conf files I've tried. At this point I am not trying to authenticate against AD - I'm just testing Kerberos. AFAIK, pam doesn't even enter the picture. The kinit command should just be requesting a ticket from the kerberos server (dc1.home.rahim-dale.org). For completeness, here's the /etc/krb45.conf on my workstation: [libdefaults] ???????ticket_lifetime = 24000 ???????clock-skew = 300 ???????default_realm = HOME.RAHIM-DALE.ORG [realms] ???????HOME.RAHIM-DALE.ORG = { ???????????????kdc = dc1.home.rahim-dale.org ???????????????admin_server = dc1.home.rahom-dale.org ???????????????default_domain = home.rarhim-dale.org ???????} [domain_realm] ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG ???????rahim-dale.org = HOME.RAHIM-DALE.ORG but the same test returns the same results: root at transponder:~# kinit Administrator at home.rahim-dale.org Password for Administrator at home.rahim-dale.org: kinit: KDC reply did not match expectations while getting initial credentials Can anyone suggest a fix to what is going wrong? Thanks.