Managing AD Computer Accounts with adcli and kerberos on Linux
Posted on Mon, Jun 02, 2025 at 12:12 by Hubertus A. Haniel
When configuring Samba on Linux against active directory these steps are part of this as well but you may just want to use kerberos on its own so these are the initial streps to get it working on RHEL8/9
First you need to install the krb5-workstation and adcli packages which should be available in the default repos.
Then you need to configure /etc/krb5.conf to reflect your AD domain (mine is upnor.localnet.lan)
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = UPNOR.LOCALNET.LAN
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
UPNOR.LOCALNET.LAN = {
kdc = 192.168.0.10
}
Now we need to join the domain and for this the command is something like:
adcli join -v --domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan
Note that the OU stuff seems back to front to what it shows in the Windows Active Directory GUI where my OU or path is "\SERVERS\Unix Samba Servers" and you obviously have to escape the spaces with \ - The userid needs to be somebody that has the rights to manage computer accounts in that OU. - This has to be run as root.
The command will create the computer account and the /etc/krb5.keytab file.
You should now be able to get a kerberos ticket with "kinit <userid>"
Now we are in a position to run other commands and we can authenticate against AD with the kerberos ticket (-C option)
So we can for example create a SPN for our host (again as root as /etc/krb5.keytab will get modified)
adcli update --add-service-principal=cifs/alias.upnor.localnet.lan --domain "upnor.localnet.lan" -v -C
alias.localnet.lan is an alias to my server running samba and we may need this to authenticate against samba on this server using this alias. - All these commands I have run in verbose mode (-v) as with this command I noticed that while adding an SPN where the update in AD failed but it still carried on updating the local keytab file.
We should be able to query the SPN from a windows client using "setspn -T upnor.localnet.lan -Q */alias.upnor.localnet.lan"
We can also pre-set a computer account for another server that may not have adcli installed but we want to join the domain using samba with "net ads join -U <userid>" because samba for some reason does not create computer accounts and certainly can not create them in a specific OU:
adcli preset-computer <other server name> -domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan -v -C
The only bit I can not figure out is how to edit the SPN's for a remote
host like you can with setspn in windows - I have, without success,
tried various combinations to archive the same as:
setspn -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the domain
setspn -D http/daserver daserver1
It will delete SPN "http/daserver" for computer "daserver1"
If you work it out - let me know and I will add it here!
Edited on: Mon, Jun 02, 2025 13:30Posted in HowTo (RSS), System - Linux (RSS), System - Windows (RSS)
