[39502] in Kerberos
Windows 2003 realm joined
daemon@ATHENA.MIT.EDU (James Hancock)
Thu Mar 20 23:07:22 2025
MIME-Version: 1.0
From: James Hancock <20horizon93@gmail.com>
Date: Fri, 21 Mar 2025 07:38:03 +0500
Message-ID: <CAC7=E+qBuCVnoAQD=2uvescMA4wtEA23PHqBHE4WBG3i8PA74g@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello. I am interested in joining a Linux Debian client to an MS AD domain
on Windows 2003. This is very important for me. As I understand it, the
issue is not the removal of single-DES support in version 1.18, but a
change in behavior regarding 2003 GSSAPI and SPNEGO. Could you please
advise what functionality I would need to restore (at my own risk, of
course) so that I can join an MS AD domain on Windows 2003? I have already
spent about a week reading all the commits from version 1.17-final to
1.18.3-final, and I cannot pinpoint from the commits what exactly changed
in Kerberos behavior. I would appreciate your help.
The versions I am interested in are:
krb5 version: 1.18.3 (Debian 11), 1.21.1 (Debian 12), and also krb5 1.19.
The command used is:
sudo realm join ad03.loc -U Administrator --unattended --verbose
--client-software=sssd --membership-software=adcli
klist -e:
klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@AD03.LOC
Valid starting Expires Service principal
21.03.2025 05:37:59 21.03.2025 15:37:59 krbtgt/AD03.LOC@AD03.LOC
renew until 22.03.2025 05:37:58, Etype (skey, tkt):
DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac
krb5.conf:
~$ sudo cat /etc/krb5.conf
[libdefaults]
default_realm = AD03.LOC
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
rdns = false
allow_weak_crypto = true
permitted_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
AD03.LOC = {
kdc = ws03.ad03.loc:88
kdc = ws03.ad03.loc:88
admin_server = ws03.ad03.loc:749
}
[domain_realm]
ad03.loc = AD03.LOC
.ad03.loc = AD03.LOC
realm log:
* Authenticated as user: Administrator@AD03.LOC
! Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Message stream modified)
adcli: couldn't connect to ad03.loc domain: Couldn't authenticate to active
directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Message stream modified)
! Insufficient permissions to join the domain
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
