adcli creates wrong kerberos keytab entry with uppercase HOST

Solution Verified - Updated -

Issue

When joining a RHEL7 server to a Microsoft Active Directory with the adcli command, the kerberos keytab file with the corresponding service principals is created incorrectly. Connecting e.g. using SSH with Kerberos GSSAPI fails:

# ssh -o StrictHostKeyChecking=no -o PreferredAuthentications=gssapi-with-mic root@host.mydomain.com
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

This is the generated entry:

HOST/host.mydomain.com@MYDOMAIN.COM

But it works only with service principal entrys like this in the kerberos key tab file:

host/host.mydomain.com@MYDOMAIN.COM

This seems to be a lower/upper-case problem of the service part of the service principal in the kerberos keytab file.

Environment

  • Red Hat Enterprise Linux 7
  • Active Direcotry

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In