On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor <wesley.tay...@numerica.us> wrote:
> I have a program I am trying to set up which tries to authenticate > with the principal host\machine-FQDN@REALM using Kerberos. > > However, when I run kinit -k, the machine isn't found in the Kerberos > database. "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for (e.g.) host/mymachine.example....@example.org, which only works if you set userPrincipalName to host/mymachine.example....@example.org when you joined the host to Active Directory. Running "kinit -k MYMACHINE\$" (that is, using the value of the sAMAccountName attribute as the argument to "kinit -k") should always work. > From what I have read, SSSD is responsible for being the glue > between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which > Active Directory uses). This has nothing to do with sssd; it's all about setting userPrincipalName correctly when you join the host to AD if you want "kinit -k" (with no arguments) to work. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org