Wes,
In addition, make sure all your DNS entries are correct. Forward and
reverse.
Cannot find host in Kerberos database can arise from:
1. missing entry in your /etc/krb5.conf file (James spoke to this
clearly)
2. missing machine account in AD, (unlikely, because your AD
join succeeded)
3. missing DNS entries or
4. not able to determine your AD domain (kerberos realm) from your DNS
domain. (unlikely, because your AD join succeeded).
Spike
On Thu, Jul 30, 2020 at 11:18 AM Wesley Taylor
wrote:
> Sorry I asked this question in the wrong place, but thank you for the
> awesome
> answer James!
>
>
> Public Content
>
> -Original Message-
> From: James Ralston
> Sent: Wednesday, July 29, 2020 11:05 PM
> To: End-user discussions about the System Security Services Daemon
>
> Subject: [External] - [SSSD-users] Re: How to authenticate machine with
> Kerberos to Active Directory?
>
> CAUTION: This email originated from outside of the organization. Do not
> click
> links or open attachments unless you recognize the sender and know the
> content
> is safe.
>
>
> On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor
> wrote:
>
> > I have a program I am trying to set up which tries to authenticate
> > with the principal host\machine-FQDN@REALM using Kerberos.
> >
> > However, when I run kinit -k, the machine isn't found in the Kerberos
> > database.
>
> "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for
> (e.g.) host/mymachine.example@example.org, which only works if you
> set
> userPrincipalName to host/mymachine.example@example.org
> when you joined the host to Active Directory.
>
> Running "kinit -k MYMACHINE\$" (that is, using the value of the
> sAMAccountName
> attribute as the argument to "kinit -k") should always work.
>
> > From what I have read, SSSD is responsible for being the glue between
> > MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active
> > Directory uses).
>
> This has nothing to do with sssd; it's all about setting userPrincipalName
> correctly when you join the host to AD if you want "kinit -k" (with no
> arguments) to work.
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To
> unsubscribe
> send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460&sdata=9uYFM8UBNAY2btttsNdOcxVHn4HoPsq16EGZIT8%2BzxA%3D&reserved=0
> List Guidelines:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460&sdata=u%2BYWfJajDCG%2F5GR1mt8kmKtzJPb1bcAr7bYSNrMNHzI%3D&reserved=0
> List Archives:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460&sdata=%2FL0QIhBxCfu80Q4FO3SwWdXW0XYP6jo8GpIyoA1uBsw%3D&reserved=0
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org