Sebastian Lisic
2019-Dec-13 22:24 UTC
[Samba] Samba AD Trust and Linux Clients Failing with Kerberos
Hi everyone, I've been trying for a week to get my Linux clients to work with a Samba AD trust and would appreciate any help. I have two active directory domains: DOMAIN.COM and SUB.DOMAIN.COM On each are a Samba 4.10.10 DC. There exists a two way forest trust between the two. The two DCs can talk to one another, but the clients on each cannot (so clients need to talk through their own domain's DC). I can join/log into a Windows 10 or Server 2019 machine on SUB.DOMAIN.COM with an admin/user account from DOMAIN.COM with no issue. Linux machines on SUB.DOMAIN.COM however, cannot access anything on DOMAIN.COM. Just trying to get a Kerberos ticket via kinit USER at DOMAIN.COM<mailto:USER at DOMAIN.COM> fails. [root at client.SUB.DOMAIN.COM /]# KRB5_TRACE=/dev/stdout kinit user at DOMAIN.COM [1221] 1576265136.982936: Getting initial credentials for user at DOMAIN.COM [1221] 1576265136.982938: Sending unauthenticated request [1221] 1576265136.982939: Sending request (196 bytes) to DOMAIN.COM [1221] 1576265137.5412: Retrying AS request with master KDC [1221] 1576265137.5413: Getting initial credentials for user at DOMAIN.COM [1221] 1576265137.5415: Sending unauthenticated request [1221] 1576265137.5416: Sending request (196 bytes) to DOMAIN.COM (master) kinit: Cannot find KDC for realm "DOMAIN.COM " while getting initial credentials I've tried numerous krb5.conf settings, but most of the time they fail like the above. SUB.DOMAIN.COM works fine, but anything sent to DOMAIN.COM fails. How do I configure Kerberos to route tickets through the DC of SUB.DOMAIN.COM? Here is one of my attempted krb5.conf files: [libdefaults] default_realm = SUB.DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] SUB.DOMAIN.COM = { } DOMAIN.COM = { } [domain_realm] .sub.domain.com = SUB.DOMAIN.COM sub.domain.com = SUB.DOMAIN.COM [capaths] SUB.DOMAIN.COM = { DOMAIN.COM = . }
Apparently Analagous Threads
- samba4 success/failure report...all's working despite kerberized ssh
- smbclient kerberos auth fails
- AST-2008-003: Unauthenticated calls allowed from SIP channel driver
- AST-2008-003: Unauthenticated calls allowed from SIP channel driver
- Minimize sshd log clutter/spam from unauthenticated connections