Kerberos Error – Fixing ‘Client Not Found in Kerberos Database’ Error

active-directorykerberosubuntu-20.04

I have successfully joined an ubuntu machine (Ubuntu 20.04 LTS) to an Active Directory.
Therefore, I can log in with AD-Accounts, obtain and renew the ticket grantin ticket for the user, and access network shares with Kerberos authentication.

However, I struggle to obtain the initial credentials for the computer account:

admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
[sudo] password for admin:
[232252] 1645435537.855061: Getting initial credentials for host/[email protected]
[232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts
[232252] 1645435537.855064: Sending unauthenticated request
[232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN
[232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88
[232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88
[232252] 1645435537.855068: Response was from master KDC
[232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials

I have spent several hours on that issue without progress. Probably I am missing some essential steps.
The requested principal is contained in the local keytab on the ubuntu machine:

root@comp01:~$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 02/17/2022 07:34:59 [email protected] (arcfour-hmac)
   4 02/17/2022 07:34:59 [email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 [email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
   4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 host/[email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
   4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 host/[email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)

And the principal is also registered on the AD-Domain controller:

> setspn -L comp01
Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan:
            RestrictedKrbHost/comp01.company.lan
            host/comp01.company.lan
            RestrictedKrbHost/COMP01
            host/COMP01

The ubuntu machine has been joined to the AD-Domain using

> realm join company.lan

And the Kerberos configuration file is as follows:

[libdefaults]
        default_realm = COMPANY.LAN
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        COMPANY.LAN = {
                kdc = DC.company.lan
                admin_server = DC.company.lan
                default_domain = company.lan
        }
[domain_realm]
        .company.lan = COMPANY.LAN
        company.lan = COMPANY.LAN

Forward and reverse DNS are also looking good:

> nslookup comp01
Server:  DC.company.lan
Address:  172.27.17.41

Name:    comp01.company.lan
Address:  172.27.17.131

> nslookup 172.27.17.131
Server:  DC.company.lan
Address:  172.27.17.41

Name:    comp01.company.lan
Address:  172.27.17.131

I am really thankful for any hint that guides me in the right direction.

Best Answer

With Active Directory-flavoured Kerberos there is a distinction between "user" (client) and "service" (target) principal names. Specifically, only the account's sAMAccountName can act as the client principal, its SPNs cannot.

The account name of computer objects is always the hostname in upper case and suffixed with a $, e.g. for a computer named "COMP01" the account name would be COMP01$.

Meanwhile host/comp01 and host/comp01.company.lan only exist as service principals – an AD KDC will issue tickets for clients requesting "host/comp01" as the target server, but doesn't allow them to act as clients during initial authentication. They exist in your keytab only to be used on the "acceptor" side.