How to replace NIS authentication with Kerberos: Client not found in Kerberos database

Question

I followed the Oracle tutorial for configuring NIS and using Kerberos as the authentication mechanism. I believe I got the Realm and KDC configured and running correctly on a server that is running NIS, so ypserv and ypbind are running. On a Kerberos client I ran the following command successfully (note authconfig is deprecated in favor of authselect but still works):

authconfig --enablenis --enablekrb5 --krb5realm=SUBDOMAIN.OURDOMAIN.EDU --krb5adminserver=sub.sub.ourdomain.edu --krb5kdc=sub.sub.ourdomain.edu --update

So kinit admin@SUBDOMAIN.OURDOMAIN.EDU works, when going from a Kerberos client to the KDC and Admin server which are the same. Here's s a snip from /var/log/krb5kdc.log: aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) x.x.x.x: ISSUE: authtime 1603133224, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@ourdomain.edu for krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU

klist
Ticket cache: KEYRING:persistent:6105:6105
Default principal: admin@SUBDOMAIN.OURDOMAIN.EDU

Valid starting     Expires            Service principal
10/19/20 14:57:43  10/20/20 14:57:39  krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU
        renew until 10/19/20 14:57:43

But using ssh -K -vv returns "Unspecified GSS failure" but I at least log in.

ssh -K -vv myuser@sub.sub.ourdomain.edu
OpenSSH_8.3p1, OpenSSL 1.1.1g FIPS  21 Apr 2020
debug1: Reading configuration data /path/to/.ssh/config
debug1: /path/to/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/path/to/.ssh/sockets/myuser@sub.sub.ourdomain.edu-22" does not exist
debug2: resolving "sub.sub.ourdomain.edu" port 22
debug2: ssh_connect_direct
debug1: Connecting to sub.sub.ourdomain.edu [x.x.x.x] port 22.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sub.sub.ourdomain.edu:22 as 'myuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'sub.sub.ourdomain.edu' is known and matches the ECDSA host key.
debug1: Found key in /path/to/.ssh/known_hosts:33
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:6105)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /path/to/.ssh/id_rsa RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /path/to/.ssh/id_dsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa_sk
debug1: Trying private key: /path/to/.ssh/id_ed25519
debug1: Trying private key: /path/to/.ssh/id_ed25519_sk
debug1: Trying private key: /path/to/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
myuser@sub.sub.ourdomain.edu's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to sub.sub.ourdomain.edu ([150.108.64.156]:22).
debug1: setting up multiplex master socket
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [/path/to/.ssh/sockets/myuser@sub.sub.ourdomain.edu-22]
debug2: fd 3 setting TCP_NODELAY
debug1: control_persist_detach: backgrounding master process
debug2: control_persist_detach: background process is 126689
debug2: fd 4 setting O_NONBLOCK
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug2: set_control_persist_exit_time: schedule exit in 600 seconds
debug1: multiplexing control connection
debug2: fd 5 setting O_NONBLOCK
debug1: channel 1: new [mux-control]
debug2: set_control_persist_exit_time: cancel scheduled exit
debug2: mux_master_process_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug2: mux_master_process_alive_check: channel 1: alive check
debug2: mux_master_process_new_session: channel 1: request tty 1, X 1, agent 0, subsys 0, term "xterm", cmd "", env 2
debug1: channel 2: new [client-session]
debug2: mux_master_process_new_session: channel_new: 2 linked to control channel 1
debug2: channel 2: send open
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug2: channel_input_open_confirmation: channel 2: callback start
debug2: client_session2_setup: id 2
debug2: channel 2: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_ALL = C
debug2: channel 2: request env confirm 0
debug2: channel 2: request shell confirm 1
debug2: channel_input_open_confirmation: channel 2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
debug1: mux_client_request_session: master session id: 2
debug2: channel_input_status_confirm: type 99 id 2
debug2: PTY allocation request accepted on channel 2
debug2: channel 2: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 2
debug2: shell request accepted on channel 2

Running kinit results in: kinit: Client 'myuser@SUBDOMAIN.OURDOMAIN.EDU' not found in Kerberos database while getting initial credentials and /var/log/krb5kdc.log has: CLIENT_NOT_FOUND: myuser@SUBDOMAIN.OURDOMAIN.EDU for krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU, Client not found in Kerberos database

I also looked at this Toolbox tutorial but I didn't find anything there helped.

Also how can users who don't have a Kerberos client, e.g,. their personal laptop login using Kerberos authentication? Will ssh -K suffice? Does the Realm admin have to log in first for all NIS users to get a ticket?

Edit: debug requested by @user1686

Here's the debug before entering the password from trying 'bob' who is a Kerberos Principal but NOT a NIS user:

Resolving unique ccache of type KEYRING
Getting initial credentials for bob@sub.ourdomain.edu
Sending unauthenticated request
Sending request (202 bytes) to sub.ourdomain.edu
Resolving hostname olddsm.sub.ourdomain.edu
Sending initial UDP request to dgram 150.108.64.156:88
Received answer (459 bytes) from dgram 150.108.64.156:88
Sending DNS URI query for _kerberos.sub.ourdomain.edu.
No URI records found
Sending DNS SRV query for _kerberos-master._udp.sub.ourdomain.edu.
Sending DNS SRV query for _kerberos-master._tcp.sub.ourdomain.edu.
No SRV records found
Response was not from master KDC
Received error from KDC: -1765328359/Additional pre-authentication required
Preauthenticating using KDC method data
Processing preauth types: PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
Selected etype info: etype aes256-cts, salt "sub.ourdomain.edubob", params ""
Received cookie: MIT1\x00\x00\x00\x01\xa6o@\xe7\x18($\xb3\xa0\+G\x8c{h\xce\x7f\xb1\x8e\x1bi\x9c\xdd_\xf3\x0b\xef\xabpBe\xf0\xabP\x18\x0epD\x96\xe0{\xa6\x86\xdd\xbaW\xa8\x1b\x888F\x88NA\xb96F#+\xae0?cLXy\x06\x03\x036\x80e\xb6x\xf0\xaa\xba\x8c\xd5!v\xd62\xe8\x11\xbb\xfa~Q\x0f\xa6\xf1\\x95\x1b(_\x1dW\x0a\x18K\xd8\xc8\xd5\xeb\x0d\x92\xaa\x9bHA\x1a:\x10\xa7\xed\x9b\xde1>\xf6\x01\xbf\xf3Dk\x10\x9e\xda
SPAKE challenge received with group 1, pubkey E68F19E1E54CFB8167A58BA27281988C6D41E781616151E9E77E8BF2C9943384

Here's the debug after Bob's password:

SPAKE key generated with pubkey AFB1CF7A0590A8EB85009C098983F40ADE287C14812D7559AED3AD3906799A0A
SPAKE algorithm result: 06204D53974A5ED18239F0DC4894DE4218EB576231190E2BF4DFF29CA4A3F5E1
SPAKE final transcript hash: 17E210EF8E0DBA330E67D30E255C6D13F3FCFD8D6D05F6FFCB55F1FDD9397320
Sending SPAKE response
Preauth module spake (151) (real) returned: 0/Success
Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151)
Sending request (461 bytes) to SUB.OURDOMAIN.EDU
Resolving hostname olddsm.SUB.OURDOMAIN.EDU
Sending initial UDP request to dgram x.x.x.x:88
Received answer (725 bytes) from dgram x.x.x.x:88
Sending DNS URI query for _kerberos.SUB.OURDOMAIN.EDU.
No URI records found
Sending DNS SRV query for _kerberos-master._udp.SUB.OURDOMAIN.EDU.
Sending DNS SRV query for _kerberos-master._tcp.SUB.OURDOMAIN.EDU.
No SRV records found
Response was not from master KDC
AS key determined by preauth: aes256-cts/E5DE
Decrypted AS reply; session key is: aes256-cts/2E1C
FAST negotiation: available
Initializing KEYRING:persistent:6105:krb_ccache_6defZ3A with default princ bob@SUB.OURDOMAIN.EDU
Storing bob@SUB.OURDOMAIN.EDU -> krbtgt/SUB.OURDOMAIN.EDU@SUB.OURDOMAIN.EDU in KEYRING:persistent:6105:krb_ccache_6defZ3A
Storing config in KEYRING:persistent:6105:krb_ccache_6defZ3A for krbtgt/SUB.OURDOMAIN.EDU@SUB.OURDOMAIN.EDU: fast_avail: yes
Storing bob@SUB.OURDOMAIN.EDU -> krb5_ccache_conf_data/fast_avail/krbtgt\/SUB.OURDOMAIN.EDU\@SUB.OURDOMAIN.EDU@X-CACHECONF: in KEYRING:persistent:6105:krb_ccache_6defZ3A
Storing config in KEYRING:persistent:6105:krb_ccache_6defZ3A for krbtgt/SUB.OURDOMAIN.EDU@SUB.OURDOMAIN.EDU: pa_type: 151
Storing bob@SUB.OURDOMAIN.EDU -> krb5_ccache_conf_data/pa_type/krbtgt\/SUB.OURDOMAIN.EDU\@SUB.OURDOMAIN.EDU@X-CACHECONF: in KEYRING:persistent:6105:krb_ccache_6defZ3A

And kinit:

klist
Ticket cache: KEYRING:persistent:6105:krb_ccache_6defZ3A
Default principal: bob@SUB.OURDOMAIN.EDU

Valid starting     Expires            Service principal
10/22/20 12:18:40  10/23/20 12:18:34  krbtgt/SUB.OURDOMAIN.EDU@SUB.OURDOMAIN.EDU
        renew until 10/22/20 12:18:40

And from krb5kdc.log:

olddsm.SUB-OURDOMAIN.EDU krb5kdc[2160](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.68.128: NEEDED_PREAUTH: bob@SUB-OURDOMAIN.EDU for krbtgt/SUB-OURDOMAIN.EDU@SUB-OURDOMAIN.EDU, Additional pre-authentication required

krb5kdc[2160](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.68.128: ISSUE: authtime 1603383520, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@SUB-OURDOMAIN.EDU for krbtgt/SUB-OURDOMAIN.EDU@SUB-OURDOMAIN.EDU

I haven't see this mentioned in these tutorials I've referenced but the the NIS users need to be migrated to the Kerberos Realm as mentioned here? Also, I don't see pam_krb5.so in any of the PAM files, e.g., in /etc/pam.d/ nor /etc/authselect/. I did use the deprecated authconfig option and no errors just warnings about it being replaced by authselect.

ssh logs from a NIS only user that demonstrates only the NIS password works:

attempt 0 failures 0 [preauth]
PAM: initializing for "xx"
PAM: setting PAM_RHOST to "x.x.x.x"
PAM: setting PAM_TTY to "ssh"
userauth-request for user ts service ssh-connection method gssapi-with-mic [preauth]
attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for ts from x.x.x.x port 58692 ssh2 [preauth]
Unspecified GSS failure.  Minor code may provide more information\nRequest ticket server host/sub.subdomainourdomain.edu@SUBDOMAIN.OURDOMAIN.EDU kvno 6 not found in keytab; keytab is likely out of date
Got no client credentials
userauth-request for user ts service ssh-connection method gssapi-with-mic [preauth]
attempt 2 failures 1 [preauth]
userauth-request for user ts service ssh-connection method publickey [preauth]
attempt 3 failures 1 [preauth]
userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk [preauth]
temporarily_use_uid: 1202/150 (e=0/0)
trying public key file /home/users/ts/.ssh/authorized_keys
Could not open authorized keys '/home/users/xx/.ssh/authorized_keys': No such file or directory
restore_uid: 0/0
Failed publickey for ts from x.x.x.x port 58692 ssh2: RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
userauth-request for user xx service ssh-connection method password [preauth]
attempt 4 failures 2 [preauth]
PAM: password authentication accepted for ts
do_pam_account: called
Accepted password for ts from x.x.x.x port 58692 ssh2