Kerberos Linux to AD problem

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos Linux to AD problem

Matthias Brenner
Hi, I try to connect to a windows 2012R2 ad server with powershell
core from a linux client. I can't use NTLM or ssh, so I have to use
kerbereos.


What I did: I installed a debian8 client and configured
krb5.conf as followes: (comments and blank lines removed)
  [logging]
  default = FILE:/var/log/krb/krb5libs.log
  kdc = FILE:/var/log/krb/krb5kdc.log
  admin_server = FILE:/var/log/krb/kadmind.log


  [libdefaults]
    default_realm = EXAMPLE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    renew_lifetime = 7d


  [realms]
    EXAMPLE.LOCAL = {
        admin_server = ka-dc3.example.local
        kdc = ka-dc3.example.local
    }

  [domain_realm]
    .example.local = EXAMPLE.LOCAL


I also configured sssd.conf and smb.conf. After that I did a domain join.
Now I can see the computer entry in the AD. And I can login
to the linux client with my AD credentials.


But I'm not familiar with kerberos. If I enter the following
command (all the following commands are entered as root user):
  kinit -v [hidden email]
I get the following output:
  Authenticated to Kerberos v5


A
  klist
results in:
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: [hidden email]


  Valid starting       Expires              Service principal
  25.04.2019 09:24:34  25.04.2019 19:24:34  krbtgt/[hidden email]
        renew until 02.05.2019 09:24:30



The howto told me that a
  kinit -k
should work, but I got this error message:
  kinit: Client 'host/[hidden email]' not found in 
  Kerberos database while getting initial credentials


A
  kadmin
fails with:
  Authenticating as principal matthias_admin/[hidden email] with password.
  kadmin: Client not found in Kerberos database while initializing kadmin
  interface


If I enter
  klist -k
I get:
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  ---- --------------------------------------------------------------------
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 host/[hidden email]
   2 DEBIAN8$@EXAMPLE.LOCAL
   2 DEBIAN8$@EXAMPLE.LOCAL
   2 DEBIAN8$@EXAMPLE.LOCAL
   2 DEBIAN8$@EXAMPLE.LOCAL
   2 DEBIAN8$@EXAMPLE.LOCAL


In my opinion my problems with powershell are related to kerberos.
If I enter the following command in powershell:
  kinit [hidden email]
followed by:
  Enter-PSSession -ComputerName ka-dc3.example.local 
     -Authentication Negotiate -Credential [hidden email]
I get this error message:
  Enter-PSSession : Connecting to remote server ka-dc3.example.local
  failed with the following error message : Authorization failed
  Unspecified GSS failure.  Minor code may provide more information
  Server not found in Kerberos database For more information, see the
  about_Remote_Troubleshooting Help topic.
  At line:1 char:1
  + Enter-PSSession -ComputerName ka-dc3.example.local -Authentication Ne ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo          : InvalidArgument: (ka-dc3.example.local:String) [Enter-PSSession], PSRemotingTransportException
  + FullyQualifiedErrorId : CreateRemoteRunspaceFailed




Any help is appreciated!


Matthias

 
     
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Linux to AD problem

Rob A
First, make sure you disabled mdns3 or moved it down the list in your
nsswitch, so that the .local domain will work properly. This is just good
hygiene.

Second, just log in with your AD credentials with sssd and type klist. It
should show the right credentials. Kinit should not be necessary.

Third, try smbclient -k //ka-dc01.example.local/c\$

If that works, then Kerberos is set up right. I'm not sure PS Core supports
Kerberos proudly from Linux yet (they didn't 3 months ago), check github.

--
Robert Auch
via +1-773-655-6834


On Fri, Apr 26, 2019, 09:06 Matthias Brenner <
[hidden email]> wrote:

> Hi, I try to connect to a windows 2012R2 ad server with powershell
> core from a linux client. I can't use NTLM or ssh, so I have to use
> kerbereos.
>
>
> What I did: I installed a debian8 client and configured
> krb5.conf as followes: (comments and blank lines removed)
>   [logging]
>   default = FILE:/var/log/krb/krb5libs.log
>   kdc = FILE:/var/log/krb/krb5kdc.log
>   admin_server = FILE:/var/log/krb/kadmind.log
>
>
>   [libdefaults]
>     default_realm = EXAMPLE.LOCAL
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
>     renew_lifetime = 7d
>
>
>   [realms]
>     EXAMPLE.LOCAL = {
>         admin_server = ka-dc3.example.local
>         kdc = ka-dc3.example.local
>     }
>
>   [domain_realm]
>     .example.local = EXAMPLE.LOCAL
>
>
> I also configured sssd.conf and smb.conf. After that I did a domain join.
> Now I can see the computer entry in the AD. And I can login
> to the linux client with my AD credentials.
>
>
> But I'm not familiar with kerberos. If I enter the following
> command (all the following commands are entered as root user):
>   kinit -v [hidden email]
> I get the following output:
>   Authenticated to Kerberos v5
>
>
> A
>   klist
> results in:
>   Ticket cache: FILE:/tmp/krb5cc_0
>   Default principal: [hidden email]
>
>
>   Valid starting       Expires              Service principal
>   25.04.2019 09:24:34  25.04.2019 19:24:34
> krbtgt/[hidden email]
>         renew until 02.05.2019 09:24:30
>
>
>
> The howto told me that a
>   kinit -k
> should work, but I got this error message:
>   kinit: Client 'host/[hidden email]' not found in
>   Kerberos database while getting initial credentials
>
>
> A
>   kadmin
> fails with:
>   Authenticating as principal matthias_admin/[hidden email] with
> password.
>   kadmin: Client not found in Kerberos database while initializing kadmin
>   interface
>
>
> If I enter
>   klist -k
> I get:
>   Keytab name: FILE:/etc/krb5.keytab
>   KVNO Principal
>   ---- --------------------------------------------------------------------
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 host/[hidden email]
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>    2 DEBIAN8$@EXAMPLE.LOCAL
>
>
> In my opinion my problems with powershell are related to kerberos.
> If I enter the following command in powershell:
>   kinit [hidden email]
> followed by:
>   Enter-PSSession -ComputerName ka-dc3.example.local
>      -Authentication Negotiate -Credential [hidden email]
> I get this error message:
>   Enter-PSSession : Connecting to remote server ka-dc3.example.local
>   failed with the following error message : Authorization failed
>   Unspecified GSS failure.  Minor code may provide more information
>   Server not found in Kerberos database For more information, see the
>   about_Remote_Troubleshooting Help topic.
>   At line:1 char:1
>   + Enter-PSSession -ComputerName ka-dc3.example.local -Authentication Ne
> ...
>   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   + CategoryInfo          : InvalidArgument: (ka-dc3.example.local:String)
> [Enter-PSSession], PSRemotingTransportException
>   + FullyQualifiedErrorId : CreateRemoteRunspaceFailed
>
>
>
>
> Any help is appreciated!
>
>
> Matthias
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

AW: Kerberos Linux to AD problem

Matthias Brenner
Hi Rob,

thanks for your answer.

> First, make sure you disabled mdns3 or moved it down the list in your nsswitch, so that the .local domain will work properly.
> This is just good hygiene.

Was already disabled. Thanks for that hint.

> Second, just log in with your AD credentials with sssd and type klist. It should show the right credentials. Kinit should not be necessary.

Tested and ok.

> Third, try smbclient -k //ka-dc01.example.local/c\$

Tested and ok, too.

> If that works, then Kerberos is set up right. I'm not sure PS Core supports Kerberos proudly from Linux yet (they didn't 3 months ago),
> check github.

I agree. Maybe it's simply that PS Core doesn't support Kerberos at the moment.


Thank you very much for your help!


Regards

Matthias
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos