On 2023-04-12 15:42, Peter Milesson via samba wrote:> > > On 12.04.2023 21:26, Gary Dale via samba wrote: >> I'm following the Debian wiki at >> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory since >> it seems to be the only one I can find and since I'm running >> Debian/Bookworm on an AMD64 system. I'm in the section "Configure >> Kerberos" which is near the start. >> >> My /etc/krb5.con file (with most comments removed) is: >> >>> # cat /etc/krb5.conf >>> [logging] >>> ???????Default = FILE:/var/log/krb5.log >>> >>> [libdefaults] >>> ???????default_realm = HOME.RAHIM-DALE.ORG >>> ???????ticket_lifetime = 24000 >>> ???????clock-skew = 300 >>> # The following libdefaults parameters are only for Heimdal Kerberos. >>> ???????fcc-mit-ticketflags = true >>> ?????? rdns = false >>> [realms] >>> ???????HOME.RAHIM-DALE.ORG = { >>> ???????????????kdc = dc1.home.rahim-dale.org >>> ???????????????admin_server = dc1.home.rahom-dale.org >>> ???????} >>> >>> [domain_realm] >>> ???????.rahim-dale.org = HOME.RAHIM-DALE.ORG >>> ???????rahim-dale.org = HOME.RAHIM-DALE.ORG >>> >> I've also tried it wiht Heimdal Kerberos parameters commented out. It >> didn't make any difference. I get the same error. Web searches say >> this is usually a result of capitalization errors in the .conf file, >> but it seems OK to me. >> >> >>> root at transponder:~# kinit Administrator at home.rahim-dale.org >>> Password for Administrator at home.rahim-dale.org: >>> kinit: KDC reply did not match expectations while getting initial >>> credentials >>> >> The krb5.conf file on the DC is: >> >>> [libdefaults] >>> default_realm = HOME.RAHIM-DALE.ORG >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> [realms] >>> HOME.RAHIM-DALE.ORG = { >>> default_domain = home.rahim-dale.org >>> } >>> >>> [domain_realm] >>> dc1 = HOME.RAHIM-DALE.ORG >>> >> >> Any ideas on what I'm doing wrong? > HI Gary, > > My krb5.conf on the second DC (the one without FSMO roles) has got the > entry under [domain_realm] all in upper case, like DC1 = > HOME.RAHIM-DALE.ORG. Kerberos seems to be picky about upper case, but > it's just an idea. > > On the member server your krb5.conf should just be: > > [libdefaults] > ???????default_realm = HOME.RAHIM-DALE.ORG > ?????? dns_lookup_realm = false > ?????? dns_lookup_kdc = true > > Best regards, > > Peter >I've tried it both ways (dc1 and DC1) and get the same result. And yes, I did restart the krb5-admin-server in between.
Christian Naumer
2023-Apr-13 06:11 UTC
[Samba] error trying to authenticate from Linux to AD
Am 12.04.23 um 22:34 schrieb Gary Dale via samba:> I've tried it both ways (dc1 and DC1) and get the same result. And yes, > I did restart the krb5-admin-server in between.There should not be _any_ krb5-admin-server in your network! Your Samba DC is the Kerberos server not anything else. If this is installed anywhere remove it. Regards Christian