On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor wesley.taylor@numerica.us wrote:

I have a program I am trying to set up which tries to authenticate with the principal host\machine-FQDN@REALM using Kerberos.

However, when I run kinit -k, the machine isn't found in the Kerberos database.

"kinit -k" (with no arguments) defaults to attempting to obtain a TGT for (e.g.) host/mymachine.example.org@EXAMPLE.ORG, which only works if you set userPrincipalName to host/mymachine.example.org@EXAMPLE.ORG when you joined the host to Active Directory.

Running "kinit -k MYMACHINE$" (that is, using the value of the sAMAccountName attribute as the argument to "kinit -k") should always work.

From what I have read, SSSD is responsible for being the glue between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active Directory uses).

This has nothing to do with sssd; it's all about setting userPrincipalName correctly when you join the host to AD if you want "kinit -k" (with no arguments) to work.