I'm attempting to setup Kerberos login support (Windows AD domain providing the kerberos) for Kubuntu 12.04 Linux workstations at the company I'm at.
It's almost completely working but I can't get kerberos working both for machine logins (via kdm) and ssh at the same time. The issue seems to be that kdm detects the fully qualified domain of the host as hostname.domain. and ssh detects the fully qualified domain as being hostname.domain (note the lack of trailing .)
That lack or presense of . on the end of the domain that is used in the kerberos requests is enough to make the ticket request fail with a 'Server not found in kerberos database' error. If I update /etc/hosts to have the fully qualified hostname as hostname.domain. and join the domain using samba kdm logins using kerberos work correctly but ssh logins fail. If I update /etc/hosts to have the host as hostname.domain then ssh logins using kerberos work but kdm login fail.
I'm at a bit of a loss as to why the two services are detecting the fully qualified domain name differently - I've done extensive searches and not found any reference to anybody else having this issue or any options to force one of the services to detect their domain names differently.
Technical details
Kubuntu 12.04 being used is a technical requirement outside my control so upgrading to a later distro isn't an option at this stage.
pam_krb5 is being used to provide the kerberos authentication via pam dns being used isn't the windows dns (can't switch dns servers until further work on other infrastruture is complete) so the main details used for the samba kerberosied join to the domain comes from /etc/hosts which looks something like
127.0.0.1 hostname.domain. hostname localhost
(the unix dns server in use though does have correct forward and reverse dns entries for the hosts though)
/etc/krb5.conf (which is mostly the distro default with the domain details and servers entered in)
[libdefaults]
default_realm = DOMAIN
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# samba 3 didn't like the default enc type so overridden to ones it supported
default_tkt_enctypes = arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN = {
kdc = dc01.domain
kdc = dc02.domain
admin_server = dc01.domain
}
[domain_realm]
.domain = DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/samba/smb.conf (only used for joining the domain)
[global]
security = ads
realm = WETAFX.CO.NZ
workgroup = WETAFX.CO.NZ
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
pam wise /etc/pam.d/kdm just includes the common- pam files which have the standard pam_krb5.so entries such as
auth sufficient pam_krb5.so minimum_uid=1000
which basically are taken directly from the man pages for pam_krb5.conf
the ssh config has
GSSAPIAuthentication yes
and the rest is the standard default ubuntu ssh config file.
Thanks for any pointers as to what is causing this mismatch in detected fully qualified domain between services.
