{"id":1628,"date":"2014-01-23T21:27:37","date_gmt":"2014-01-23T20:27:37","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=1628"},"modified":"2014-01-23T12:31:53","modified_gmt":"2014-01-23T11:31:53","slug":"linux-kerberos-authentification-against-windows-active-directory","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/linux-kerberos-authentification-against-windows-active-directory\/","title":{"rendered":"Linux: Kerberos authentification against Windows Active Directory"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1628 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1628')){$('.twoclick_social_bookmarks_post_1628').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Linux%3A%20Kerberos%20authentification%20against%20Windows%20Active%20Directory\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Ahere%20are%20some%20steps%20to%20use%20kerberos%20authentification%20against%20a%20active%20directory%20with%20OS%20Version%20Windows%20Server%202008%20R2%20or%20later%20on%20your%20linux%20machine.%20%0D%0A%0D%0AThe%20default%20krb5%20configuration%20implementation%20of%20the%20most%20linux%20distributions%20did%20not%20work%20out%20of%20the%20box.%20I%20assume%20that%20the%20REALM%20in%20%2Fetc%2Fkrb5.conf%20is%20already%20configured.%0D%0A%0D%0ATypical%20error%20messages%20are%3A%0D%0Akinit%3A%20KDC%20has%20no%20support%20for%20%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/linux-kerberos-authentification-against-windows-active-directory\\\/\",\"post_id\":1628,\"post_title_referrer_track\":\"Linux%3A+Kerberos+authentification+against+Windows+Active+Directory\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>here are some steps to use kerberos authentification against a active directory with OS Version Windows Server 2008 R2 or later on your linux machine. <\/p>\n<p>The default krb5 configuration implementation of the most linux distributions did not work out of the box. I assume that the REALM in \/etc\/krb5.conf is already configured.<\/p>\n<p>Typical error messages are:<\/p>\n<pre><code>kinit: KDC has no support for encryption type while getting initial credentials\r\nkinit: KDC reply did not match expectations while getting initial credentials<\/code><\/pre>\n<p><\/p>\n<pre><code>michael@debdev:~# kinit  michael@subdomain.domain.local\r\nPassword for michael@subdomain.domain.local:\r\nkinit: KDC has no support for encryption type while getting initial credentials<\/code><\/pre>\n<p>To eliminate the &#8220;KDC has no support for encryption type while getting initial credentials&#8221; issue change the default encryption type in the libdefaults section of the \/etc\/krb5.conf file.<br \/>\n<!--more--><br \/>\nAdd the default_tgs_enctypes and default_tkt_enctypes to your config.  <\/p>\n<pre><code>[libdefaults]\r\n      default_realm = SUBDOMAIN.DOMAIN.LOCAL\r\n      default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5\r\n      default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5<\/code><\/pre>\n<p>check again\t  <\/p>\n<pre><code>michael@debdev:~# kinit  michael@subdomain.domain.local\r\nPassword for michael@subdomain.domain.local:\r\nkinit: KDC reply did not match expectations while getting initial credentials<\/code><\/pre>\n<p>If the &#8220;KDC reply did not match expectations while getting initial credentials&#8221; error occurs, check your \/etc\/krb5.conf. Ensure that all Realm names are in upper case letters.<\/p>\n<pre><code>[libdefaults]\r\n      default_realm = SUBDOMAIN.DOMAIN.LOCAL\r\n......\r\n[realms]\r\n        SUBDOMAIN.DOMAIN.LOCAL = {\r\n                kdc = DC.SUBDOMAIN.DOMAIN.LOCAL:88\r\n                admin_server = DC.SUBDOMAIN.DOMAIN.LOCAL\r\n                default_domain = SUBDOMAIN.DOMAIN.LOCAL\r\n        }<\/code><\/pre>\n<p>kinit also needs the realm respective the domain in upper case.<\/p>\n<pre><code>michael@debdev:~# kinit michael@SUBDOMAIN.DOMAIN.LOCAL\r\nPassword for michael@SUBDOMAIN.DOMAIN.LOCAL:\r\nmichael@debdev:~#<\/code><\/pre>\n<pre><code>michael@debdev:~# klist\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: michael@SUBDOMAIN.DOMAIN.LOCAL\r\n\r\nValid starting       Expires              Service principal\r\n23.01.2014 21:35:39  24.01.2014 11:35:44  krbtgt\/SUBDOMAIN.DOMAIN.LOCAL@SUBDOMAIN.DOMAIN.LOCAL\r\n        renew until 24.01.2014 21:35:39<\/code><\/pre>\n<p>For example I used the ticket to get some information about CIFS of a Windows Box<\/p>\n<pre><code>michael@debdev:~# rpcclient win7.subdomain.domain.local -k\r\nrpcclient $> srvinfo\r\n        WIN7.SUBDOMIN.Wk Sv NT\r\n        platform_id     :       500\r\n        os version      :       6.1\r\n        server type     :       0x1003<\/code><\/pre>\n<pre><code>rpcclient $> getusername\r\nAccount Name: michael, Authority Name: SUBDOMAIN<\/code><\/pre>\n<p>Michael\t\t<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, here are some steps to use kerberos authentification against a active directory with OS Version Windows Server 2008 R2 or later on your linux machine. The default krb5 configuration implementation of the most linux distributions did not work out of the box. I assume that the REALM in \/etc\/krb5.conf is already configured. Typical error &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/linux-kerberos-authentification-against-windows-active-directory\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Linux: Kerberos authentification against Windows Active Directory<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[418,419,415,416,224,417],"class_list":["post-1628","post","type-post","status-publish","format-standard","hentry","category-linux","tag-kdc-has-no-support-for-encryption-type-while-getting-initial-credentials","tag-kdc-reply-did-not-match-expectations-while-getting-initial-credentials","tag-kerberos","tag-krb5","tag-linux-2","tag-realms"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=1628"}],"version-history":[{"count":7,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1628\/revisions"}],"predecessor-version":[{"id":1635,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/1628\/revisions\/1635"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=1628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=1628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=1628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}