I have successfully joined an ubuntu machine (Ubuntu 20.04 LTS) to an Active Directory.
Therefore, I can log in with AD-Accounts, obtain and renew the ticket grantin ticket for the user, and access network shares with Kerberos authentication.
However, I struggle to obtain the initial credentials for the computer account:
admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
[sudo] password for admin:
[232252] 1645435537.855061: Getting initial credentials for host/[email protected]
[232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts
[232252] 1645435537.855064: Sending unauthenticated request
[232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN
[232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88
[232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88
[232252] 1645435537.855068: Response was from master KDC
[232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials
I have spent several hours on that issue without progress. Probably I am missing some essential steps.
The requested principal is contained in the local keytab on the ubuntu machine:
root@comp01:~$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 02/17/2022 07:34:59 [email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 [email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 [email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 host/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
And the principal is also registered on the AD-Domain controller:
> setspn -L comp01
Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan:
RestrictedKrbHost/comp01.company.lan
host/comp01.company.lan
RestrictedKrbHost/COMP01
host/COMP01
The ubuntu machine has been joined to the AD-Domain using
> realm join company.lan
And the Kerberos configuration file is as follows:
[libdefaults]
default_realm = COMPANY.LAN
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
COMPANY.LAN = {
kdc = DC.company.lan
admin_server = DC.company.lan
default_domain = company.lan
}
[domain_realm]
.company.lan = COMPANY.LAN
company.lan = COMPANY.LAN
Forward and reverse DNS are also looking good:
> nslookup comp01
Server: DC.company.lan
Address: 172.27.17.41
Name: comp01.company.lan
Address: 172.27.17.131
> nslookup 172.27.17.131
Server: DC.company.lan
Address: 172.27.17.41
Name: comp01.company.lan
Address: 172.27.17.131
I am really thankful for any hint that guides me in the right direction.
Best Answer
With Active Directory-flavoured Kerberos there is a distinction between "user" (client) and "service" (target) principal names. Specifically, only the account's sAMAccountName can act as the client principal, its SPNs cannot.
The account name of computer objects is always the hostname in upper case and suffixed with a
$
, e.g. for a computer named "COMP01" the account name would beCOMP01$
.Meanwhile
host/comp01
andhost/comp01.company.lan
only exist as service principals – an AD KDC will issue tickets for clients requesting "host/comp01" as the target server, but doesn't allow them to act as clients during initial authentication. They exist in your keytab only to be used on the "acceptor" side.