Linux: Kerberos authentification against Windows Active Directory

Hi,

here are some steps to use kerberos authentification against a active directory with OS Version Windows Server 2008 R2 or later on your linux machine.

The default krb5 configuration implementation of the most linux distributions did not work out of the box. I assume that the REALM in /etc/krb5.conf is already configured.

Typical error messages are:

kinit: KDC has no support for encryption type while getting initial credentials
kinit: KDC reply did not match expectations while getting initial credentials

michael@debdev:~# kinit  michael@subdomain.domain.local
Password for michael@subdomain.domain.local:
kinit: KDC has no support for encryption type while getting initial credentials

To eliminate the “KDC has no support for encryption type while getting initial credentials” issue change the default encryption type in the libdefaults section of the /etc/krb5.conf file.

Add the default_tgs_enctypes and default_tkt_enctypes to your config.

[libdefaults]
      default_realm = SUBDOMAIN.DOMAIN.LOCAL
      default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
      default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

check again

michael@debdev:~# kinit  michael@subdomain.domain.local
Password for michael@subdomain.domain.local:
kinit: KDC reply did not match expectations while getting initial credentials

If the “KDC reply did not match expectations while getting initial credentials” error occurs, check your /etc/krb5.conf. Ensure that all Realm names are in upper case letters.

[libdefaults]
      default_realm = SUBDOMAIN.DOMAIN.LOCAL
......
[realms]
        SUBDOMAIN.DOMAIN.LOCAL = {
                kdc = DC.SUBDOMAIN.DOMAIN.LOCAL:88
                admin_server = DC.SUBDOMAIN.DOMAIN.LOCAL
                default_domain = SUBDOMAIN.DOMAIN.LOCAL
        }

kinit also needs the realm respective the domain in upper case.

michael@debdev:~# kinit michael@SUBDOMAIN.DOMAIN.LOCAL
Password for michael@SUBDOMAIN.DOMAIN.LOCAL:
michael@debdev:~#
michael@debdev:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: michael@SUBDOMAIN.DOMAIN.LOCAL

Valid starting       Expires              Service principal
23.01.2014 21:35:39  24.01.2014 11:35:44  krbtgt/SUBDOMAIN.DOMAIN.LOCAL@SUBDOMAIN.DOMAIN.LOCAL
        renew until 24.01.2014 21:35:39

For example I used the ticket to get some information about CIFS of a Windows Box

michael@debdev:~# rpcclient win7.subdomain.domain.local -k
rpcclient $> srvinfo
        WIN7.SUBDOMIN.Wk Sv NT
        platform_id     :       500
        os version      :       6.1
        server type     :       0x1003
rpcclient $> getusername
Account Name: michael, Authority Name: SUBDOMAIN

Michael

8 thoughts on “Linux: Kerberos authentification against Windows Active Directory”

  1. that is very good info , do you have any idea why everything work fine if I use smbclient while if I connect to the same share with GUI it always ask for password ?
    This is driving me crazy … Ubuntu 2004 LTS …

  2. With DNS being largely not case-sensitive, I probably could have banged my head on this for years on end without ever figuring it out. Many thanks.

  3. Hello, tried to do it, the error that I’ve got is ” kinit: Password incorrect while getting initial credentials”

    but I’m using the right account and password.

Leave a Reply