I have a domain joined windows 10 computer trying to authenticate via kerberos to an ipa (4.4.0) client (centos 7.2), I can authenticate with user/pass and then kinit but I cannot seem to authenticate with the kerberos tickets on my machine.
ipaclients CAN authenticate via kerberos to windows servers (winrm).
Layout example.org = trusted domain with users example.com = root domain for systems ad.example.com = child domain for systems ipa.example.com = realm for FreeIPA
Authentication to all domains from users@example.org works, kerberos for things like IIS Windows Authentication works as expected, Winrm works from windows and linux using kerberos. I have not tested apache 401 with keytabs and trusted users yet.
debug1: Next authentication method: gssapi-with-mic debug1: Miscellaneous failure (see text) unable to find realm of host WIN10HOSTNAME
debug1: Miscellaneous failure (see text) unable to find realm of host WIN10HOSTNAME
debug2: we did not send a packet, disable method
WIN10HOSTNAME = hostname
I've tried MIT Kerberos and also tried setting the default realm in the krb5.ini file (windows). I'm not really sure how to set the default realm.
Windows 10 Client (mingw64)
ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2h 3 May 2016
klist
Current LogonId is 0:0x3a258
Cached Tickets: (4)
1 Client: jevans @ EXAMPLE.ORG
Server: krbtgt/AD.EXAMPLE.ORG @ EXAMPLE.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a50000 -forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 1/26/2017 8:26:58 (local)
End Time: 1/26/2017 18:25:47 (local)
Renew Time: 1/26/2017 18:25:47 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: DC01.example.com
1 Client: jevans @ EXAMPLE.ORG
Server: krbtgt/EXAMPLE.COM @ EXAMPLE.ORG
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a50000 -forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 1/26/2017 8:26:58 (local)
End Time: 1/26/2017 18:25:47 (local)
Renew Time: 1/26/2017 18:25:47 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: DC01.example.org
2 Client: jevans @ EXAMPLE.ORG
Server: krbtgt/EXAMPLE.ORG @ EXAMPLE.ORG
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -forwardable renewable initial pre_authent name_canonicalize
Start Time: 1/26/2017 8:25:47 (local)
End Time: 1/26/2017 18:25:47 (local)
Renew Time: 1/26/2017 18:25:47 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -PRIMARY
Kdc Called: DC01.example.org
3 Client: jevans @ EXAMPLE.ORG
Server: ldap/AD-DC01.AD.EXAMPLE.ORG/AD.EXAMPLE.ORG @ AD.EXAMPLE.ORG
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 1/26/2017 8:26:58 (local)
End Time: 1/26/2017 18:25:47 (local)
Renew Time: 1/26/2017 18:25:47 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: AD-DC01.ad.example.com
Linux Endpoint
ktutils, then read_kt /etc/krb5.keytab, then list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 host/linux-server@IPA.EXAMPLE.COM
2 1 host/linux-server@IPA.EXAMPLE.COM
3 1 host/linux-server@IPA.EXAMPLE.COM
4 1 host/linux-server@IPA.EXAMPLE.COM
5 1 host/linux-server@IPA.EXAMPLE.COM
6 1 host/linux-server@IPA.EXAMPLE.COM
7 1 host/linux-server@IPA.EXAMPLE.COM
8 1 host/linux-server@IPA.EXAMPLE.COM
9 1 host/linux-server@IPA.EXAMPLE.COM
10 1 host/linux-server@IPA.EXAMPLE.COM
11 1 host/linux-server@IPA.EXAMPLE.COM
12 1 host/linux-server@IPA.EXAMPLE.COM
