Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5396

Windows 2003 realm joined

From James Hancock <20horizon93@gmail.com>
Newsgroups comp.protocols.kerberos
Subject Windows 2003 realm joined
Date 2025-03-21 07:38 +0500
Organization TNet Consulting
Message-ID <mailman.175.1742526348.2322.kerberos@mit.edu> (permalink)
References <CAC7=E+qBuCVnoAQD=2uvescMA4wtEA23PHqBHE4WBG3i8PA74g@mail.gmail.com>

Show all headers | View raw

Hello. I am interested in joining a Linux Debian client to an MS AD domain
on Windows 2003. This is very important for me. As I understand it, the
issue is not the removal of single-DES support in version 1.18, but a
change in behavior regarding 2003 GSSAPI and SPNEGO. Could you please
advise what functionality I would need to restore (at my own risk, of
course) so that I can join an MS AD domain on Windows 2003? I have already
spent about a week reading all the commits from version 1.17-final to
1.18.3-final, and I cannot pinpoint from the commits what exactly changed
in Kerberos behavior. I would appreciate your help.

The versions I am interested in are:
krb5 version: 1.18.3 (Debian 11), 1.21.1 (Debian 12), and also krb5 1.19.
The command used is:
sudo realm join ad03.loc -U Administrator --unattended --verbose
--client-software=sssd --membership-software=adcli

klist -e:
klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@AD03.LOC

Valid starting       Expires              Service principal
21.03.2025 05:37:59  21.03.2025 15:37:59  krbtgt/AD03.LOC@AD03.LOC
        renew until 22.03.2025 05:37:58, Etype (skey, tkt):
DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac

krb5.conf:
~$ sudo cat /etc/krb5.conf
[libdefaults]
    default_realm = AD03.LOC
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true

    rdns = false
    allow_weak_crypto = true
    permitted_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac

[realms]
    AD03.LOC = {
        kdc = ws03.ad03.loc:88
        kdc = ws03.ad03.loc:88
        admin_server = ws03.ad03.loc:749
    }

[domain_realm]
    ad03.loc = AD03.LOC
    .ad03.loc = AD03.LOC

realm log:
 * Authenticated as user: Administrator@AD03.LOC
 ! Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (Message stream modified)
adcli: couldn't connect to ad03.loc domain: Couldn't authenticate to active
directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Message stream modified)
 ! Insufficient permissions to join the domain

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Windows 2003 realm joined James Hancock <20horizon93@gmail.com> - 2025-03-21 07:38 +0500

csiph-web