1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Windows 2003 realm joined

    From James Hancock@20horizon93@gmail.com to kerberos on Fri Mar 21 07:38:03 2025
    From Newsgroup: comp.protocols.kerberos

    Hello. I am interested in joining a Linux Debian client to an MS AD domain
    on Windows 2003. This is very important for me. As I understand it, the
    issue is not the removal of single-DES support in version 1.18, but a
    change in behavior regarding 2003 GSSAPI and SPNEGO. Could you please
    advise what functionality I would need to restore (at my own risk, of
    course) so that I can join an MS AD domain on Windows 2003? I have already spent about a week reading all the commits from version 1.17-final to 1.18.3-final, and I cannot pinpoint from the commits what exactly changed
    in Kerberos behavior. I would appreciate your help.

    The versions I am interested in are:
    krb5 version: 1.18.3 (Debian 11), 1.21.1 (Debian 12), and also krb5 1.19.
    The command used is:
    sudo realm join ad03.loc -U Administrator --unattended --verbose --client-software=sssd --membership-software=adcli

    klist -e:
    klist -e
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: Administrator@AD03.LOC

    Valid starting Expires Service principal
    21.03.2025 05:37:59 21.03.2025 15:37:59 krbtgt/AD03.LOC@AD03.LOC
    renew until 22.03.2025 05:37:58, Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac

    krb5.conf:
    ~$ sudo cat /etc/krb5.conf
    [libdefaults]
    default_realm = AD03.LOC
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true

    rdns = false
    allow_weak_crypto = true
    permitted_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac

    [realms]
    AD03.LOC = {
    kdc = ws03.ad03.loc:88
    kdc = ws03.ad03.loc:88
    admin_server = ws03.ad03.loc:749
    }

    [domain_realm]
    ad03.loc = AD03.LOC
    .ad03.loc = AD03.LOC

    realm log:
    * Authenticated as user: Administrator@AD03.LOC
    ! Couldn't authenticate to active directory: SASL(-1): generic failure:
    GSSAPI Error: Unspecified GSS failure. Minor code may provide more
    information (Message stream modified)
    adcli: couldn't connect to ad03.loc domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
    failure. Minor code may provide more information (Message stream modified)
    ! Insufficient permissions to join the domain
    --- Synchronet 3.21d-Linux NewsLink 1.2