[38802] in Kerberos
Issues getting Kerberos to work with realmd and Active Directory
daemon@ATHENA.MIT.EDU (Wesley Taylor)
Thu Jul 30 13:03:34 2020
From: Wesley Taylor <wesley.taylor@numerica.us>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 30 Jul 2020 17:00:24 +0000
Message-ID: <CY1P110MB0456536BEFEE4C025B3FD469FA710@CY1P110MB0456.NAMP110.PROD.OUTLOOK.COM>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All,
I am trying to get HTCondor with Kerberos authentication (https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication) to work on some linux machines I have which I joined to Windows Active Directory with realmd. HTCondor tries to authenticate with the machine principal, but I am having a hard time figuring out what that is. When I run 'klist -k' I see a bunch of entries from /etc/krb5.keytab along the lines of host/fqdn@REALM. However, when I run 'kinit -k' I get "kinit: Client $(hostname) not found in Kerberos database".
I then interrogated the realm with adcli, using 'adcli testjoin --verbose' and it outputs the computer account name as HOST/HOSTNAME@REALM. When I run 'kinit -k HOST/HOSTNAME@REALM' I get back the error "kinit: Keytab contains no suitible keys for HOST/HOSTNAME@REALM".
I am confused because when I run 'adcli update --verbose' it says it updated the keytab at /etc/krb5.keytab and outputs the same account name (which I am assuming is the principal for the computer) as adcli testjoin. I am really scratching my head about this, what am I doing wrong here?
Thanks,
Wes
Public Content
________________________________
The information contained in this e-mail and any attachments from Numerica Corporation may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
