Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1168 questions
10
votes
2 answers

Automatic Kerberos Ticket Renewal (Indefinitely)

I am currently switching our environment from NIS over to Kerberos + LDAP. During this migration I've now run into the following situation. We mount our homes via NFS which obviously should also be kerberized. However since our users all login at…
Blackclaws
  • 296
  • 1
  • 2
  • 6
10
votes
5 answers

How to integrate Active Directory with FreeBSD 10.0 using security/sssd?

What are the required steps to authenticate users from an Active Directory running on Windows Server 2012 R2 in FreeBSD 10.0 using sssd with the AD backend with Kerberos TGT working?
Vinícius Ferrão
  • 5,520
  • 11
  • 55
  • 95
10
votes
2 answers

Demoted domain controller still authenticating users

Why is a demoted domain controller still authenticating users? Whenever users log onto workstations with domain accounts, this demoted DC authenticates them. Its security log shows their logons, logoffs, and special logons. Our new DCs' security…
Eric Eskildsen
  • 243
  • 3
  • 14
10
votes
1 answer

Kerberos authentication, service host and access to KDC

I have a web application (hostname: service.domain.com) and I wish to use Kerberos authentication to identify users that are logged into a Windows domain. Microsoft AD (Windows Server 2008 R2) is providing the Kerberos service. The service is a…
StrangeLoop
  • 203
  • 1
  • 5
10
votes
2 answers

How can I log into a Domain controller that doesn't trust itself

I have a windows 2008 R2 standalone Domain Controller that I restored from backup. The original DC is offline. When I log in with valid user credentials I get the error: "The security database on the server does not have a computer account for…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
10
votes
1 answer

Adding local users / passwords on Kerberized Linux box

Right now if I try to add a non-system user not in the university's Kerberos realm I am prompted for a Kerberos password anyway. Obviously there is no password to be entered, so I just press enter and see: passwd: Authentication token manipulation…
Brian
  • 303
  • 1
  • 4
  • 8
10
votes
3 answers

How to deny access to disabled AD accounts via kerberos in pam_krb5?

I have a working AD/Linux/LDAP/KRB5 directory and authentication setup, with one small problem. When an account is disabled, SSH publickey authentication still allows user login. It's clear that kerberos clients can identify a disabled account, as…
PhilR
  • 483
  • 1
  • 4
  • 15
9
votes
2 answers

Possible to authenticate Samba via Kerberos but without domain-join?

With a Kerberos config file... [realms] DOMAIN.COM = { kdc = dc1.domain.com admin_server = dc1.domain.com } ...it is possible for Linux to talk to Active Directory for password validation without necessarily being an AD domain…
DarkSideGeek
  • 179
  • 1
  • 1
  • 5
9
votes
1 answer

How to remotely generate Windows AD Kerberos keytab from a Unix machine?

I would like to know if it’s possible to create a keytab file direct from a client machine without using the ktpass utility in the Windows Server side. The main reason I would want this, is to automatically enable the integration of Kerberos…
Allan Alvaro
  • 95
  • 1
  • 1
  • 5
9
votes
2 answers

Kerberos: Separating AS and TGS

In Kerberos, the Authentication Server (AS) and the Ticket Granting Server (TGS) are generally implemented on the same server. This machine is called the Key Distribution Center (KDC). Surely, it makes sense to implement these services on the same…
Misch
  • 193
  • 1
  • 5
9
votes
7 answers

Add new server to Server Manager, get Kerberos error 0x80090322

I'm setting up a Windows lab environment. It has a Win2012R2 domain controller (srv001) and I'd like to add another Win2012R2 server to the domain (srv003). Actually, all goes well. I gave the new server a static IP address in the same subnet as the…
rwwilden
  • 369
  • 1
  • 5
  • 13
9
votes
2 answers

Any options out there for kerberized ssh client on windows?

Are there any good (reliable / free) ssh clients that work easily with Active Directory authenticated accounts in a Windows environment? Ideally that wouldn't need the Kerberos for Windows package? I know there are various modified versions of…
chris
  • 11,944
  • 6
  • 42
  • 51
8
votes
1 answer

Create SPN with setspn.exe - Insufficient access rights

On a Windown Server 2008 Domain Controller, I'm attempting to add a Service Principal Name (SPN) to a user account 'Postmaster' in order to enable Kerberos authentication from a Communigate email server. The command line I'm using is of the…
kbluck
  • 205
  • 1
  • 3
  • 8
8
votes
2 answers

Changing login-formats for Linux and Active Directory

On CentOS, I run realm list and see login-formats: %U@mydomain.local I'd like to change login-formats: %U@mydomain.local to login-formats: %U How would I go about doing this? I'm assuming there is a .conf file, I've checked sssd.conf and krb5.conf…
dcfcolo
  • 81
  • 1
  • 1
  • 2
8
votes
2 answers

SQL Server Windows Authentication fails after tonight's security updates: The login is from an untrusted domain

We have the following setup: One Domain Controller (DC, Server 2003 R2 Standard x64) One SQL Server (SQL, Server 2008 R2 Standard x64) some clients. All machines are in the same domain. All user accounts in use are domain accounts. SQL runs one…
Heinzi
  • 2,217
  • 5
  • 32
  • 52
1 2
3
77 78