Hello. I am interested in joining a Linux Debian client to an MS AD domain on Windows 2003. This is very important for me. As I understand it, the issue is not the removal of single-DES support in version 1.18, but a change in behavior regarding 2003 GSSAPI and SPNEGO. Could you please advise what functionality I would need to restore (at my own risk, of course) so that I can join an MS AD domain on Windows 2003? I have already spent about a week reading all the commits from version 1.17-final to 1.18.3-final, and I cannot pinpoint from the commits what exactly changed in Kerberos behavior. I would appreciate your help.
The versions I am interested in are: krb5 version: 1.18.3 (Debian 11), 1.21.1 (Debian 12), and also krb5 1.19. The command used is: sudo realm join ad03.loc -U Administrator --unattended --verbose --client-software=sssd --membership-software=adcli klist -e: klist -e Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 21.03.2025 05:37:59 21.03.2025 15:37:59 krbtgt/[email protected] renew until 22.03.2025 05:37:58, Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac krb5.conf: ~$ sudo cat /etc/krb5.conf [libdefaults] default_realm = AD03.LOC dns_lookup_realm = false dns_lookup_kdc = false forwardable = true rdns = false allow_weak_crypto = true permitted_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac [realms] AD03.LOC = { kdc = ws03.ad03.loc:88 kdc = ws03.ad03.loc:88 admin_server = ws03.ad03.loc:749 } [domain_realm] ad03.loc = AD03.LOC .ad03.loc = AD03.LOC realm log: * Authenticated as user: [email protected] ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified) adcli: couldn't connect to ad03.loc domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified) ! Insufficient permissions to join the domain ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
