I'm working inside a domain environment, served by Active Directory from a Windows 2008 host. I'm a regular "Domain User", with no special privileges and will not be able to get any.
When trying to setup my own Linux system to login via ssh with kerberos, I've run into a snag: I can't add a principal of the form: host/@DOMAIN
Which brings me to the question: is there any way around this to get single-sign-on (SSO) functionality?
If not, is there some other mechanism to accomplish SSO? (I'm guessing this would require setting up my own internal KDC).
You need to join the linux machine to the AD, so the machine account and an associated key is created.
net ads join
from Samba package an easy way for that. I think this is the (only) part you need AD administrator privileges. Then you can populate the keytab with SPNs; adding an SPN record to the machine account then requires only "Validated write to SPN" privilege.There is a way to map SPNs (and keytab entries) mapped to arbitrary domain accounts using
ktpass.exe
utility but this surely requires access to the domain controller with administrative privileges.Without that you won't be able to use AD as your Kerberos realm. There are other options like - as you suggested - setting up a parallel Kerberos environment with own KDC, which would additionally involve configuration of every service you want to support this realm.
Kerberos is not the only SSO option thought. An integrated key/password encrypted store like KWallet or Apple Keychain might provide even better SSO feel while requiring zero configuration.
Hope this helps.