I've recently been trying to set up a new Ubuntu server environment, we've wanted to set up a single sign on system that functions similar to good old Windows AD. In this case you would SSH with a kerberos username and password and you are authenticated as usual, and created a local home directory if you dont already have one and can proceed as a normal local user.
In this case all of our servers are Ubuntu Server 16.04/16.10, and this cannot be changed.
I've followed along and studied with the O'Reilly book 'Kerberos: The Definitive Guide" and from here I've managed to set up my KDC and DNS, as far as I can tell, correctly. The problem appears to be when I try to set up a client. I poke the krb5.conf file to the right places, make sure I have user principals but whenever I try to log in, it hangs for a second then authentication fails with the error: Decrypt integrity check failed in auth.log
In this case I'm using the PAM module pam_krb5.so and pam_mkhomedir.so to create a new user home directory. These were set using Ubuntu's pam-auth-update utility.
I can get kerberos tickets just fine if I manually kinit from the client machine, but login seems to completely fail.
For a while we tried to evaluate FreeIPA but that seemed to fail spectacularly and un-resovably on Ubuntu for us, it seemed like more trouble than it's worth.
I'm really not sure what I'm missing here, and every time I try to find information on the subject it feels like I'm missing some crucial step that's expected of me but no one seems to tell me?
Thanks!
