On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor wesley.taylor@numerica.us wrote:
I have a program I am trying to set up which tries to authenticate with the principal host\machine-FQDN@REALM using Kerberos.
However, when I run kinit -k, the machine isn't found in the Kerberos database.
"kinit -k" (with no arguments) defaults to attempting to obtain a TGT for (e.g.) host/mymachine.example.org@EXAMPLE.ORG, which only works if you set userPrincipalName to host/mymachine.example.org@EXAMPLE.ORG when you joined the host to Active Directory.
Running "kinit -k MYMACHINE$" (that is, using the value of the sAMAccountName attribute as the argument to "kinit -k") should always work.
From what I have read, SSSD is responsible for being the glue between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active Directory uses).
This has nothing to do with sssd; it's all about setting userPrincipalName correctly when you join the host to AD if you want "kinit -k" (with no arguments) to work.
sssd-users@lists.fedorahosted.org