Authenticating with SSSD / Kerberos against Windows Server 2012 R2

Devyn · September 1, 2015, 12:25pm

I'm authenticating with SSSD / Kerberos against Windows Server 2012 R2. I've setup credentails delegation using these options:

Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDns yes

For both client/server but no luck. I've read online that I need to run ADSIEdit.msi to edit the user flags in Windows Server 2012 R2 to enable a delegation tab, which I've done, but no luck setting the delegation parameters. Thinking my issue is on the Windows Server 2012 with the setting I put for SPN ( servicePrincipalName ) but not 100%. 3

My question is does Linux SSSD / Kerberos care about the Windows Server 2012 R2 delegation settings and what should I set the servicePrincipalName too in Windows so my SSSD / Kerberos implementation will work?

What should I look for in the log files to determine if the credentials deletation is working or not working? I searched for *deleg* but nothing comes up.

What do I need to look for in the log files to determine where the delegation is breaking and hence not working?

Thanks,
Dev

Devyn · September 2, 2015, 5:36pm

Moved foward with the keytabs but now get:

Kerberos password authentication failed: Key version number for principal in key table is incorrect

Thanks,
Dev

Devyn · September 4, 2015, 11:11am

Is there a command to find out the key versions that it is saying are incorrect between server and client? Doesn't appear it's an issue with KVNO numbers because sometimes logins don't work (when I see the error above) even if KVNO's match or don't match between servers and client. Any help would be appreciated.

Ad Master 01: KVNO = 5
Ad Master 02: KVNO = 7

Client (RHEL) I've set the keytabs to KVNO = 5 for each of the 3 keytabs so they 'should' match but I still get the above error and hence Access Denied. If I don't specify -kvno 5 the system picks what appear to be next numbers in line like 29,30,31 etc

Thanks,
Dev