Displaying 2 results from an estimated 2 matches for "krb5kdc_err_s_principal_unknown".
Did you mean:
krb5kdc_err_c_principal_unknown
2020 May 17
2
GSSAPI authentication issue with samba as AD DC.
...from member to DC was:
* req-body
realm: OIKUMENE.UKEHI.NET
* sname
name-type: KRB5-NT-PRINCIPAL
* sname-string
SNameString: imap
SNameString: nowhere.oikumene.ukehi.net
The authentication step from member to DC seems OK.
But, DC returns:
KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
where valid TGS-REP is expected.
Here, I am stacked. What can I do to make DC return TGS-REP and make
GSSAPI authentication succeed?
2020 May 17
0
GSSAPI authentication issue with samba as AD DC.
...ssword imap-nowhere
> # samba-tool spn add
> imap/nowhere.oikumene.ukehi.net at OIKUMENE.UKEHI.NET imap-nowhere
Don't use the @REALM part. An SPN in Samba doesn't have the realm.
> The authentication step from member to DC seems OK.
> But, DC returns:
>
> KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
>
> where valid TGS-REP is expected.
Yeah, that will be because it is looking for it without the realm.
A patch to the client tool to reject this would be a very good idea.
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Sam...