Some ways of integrating ThinLinc with Active Directory domains results in usernames that include the domain, like "user@domain.fqdn". One example of such configurations is described in the tutorial we wrote and published about integrating ThinLinc with AD. https://www.cendio.com/thinlinc/docs/tutorial/integrate-thinlinc-with-windows-active-directory tl-kinit.sh is supposed to obtain a Kerberos ticket from the default realm when the ThinLinc session is started. When the username has a domain appended to it, tl-kinit.sh fails to obtain a Kerberos ticket. This is what's left in xinit.log: > Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket) > Password for derfian@lab.lkpg.cendio.se: > kinit: KDC reply did not match expectations while getting initial credentials This is a problem when running kinit by hand as well: > $ whoami > derfian@lab.lkpg.cendio.se > $ kinit > Password for derfian@lab.lkpg.cendio.se: > kinit: KDC reply did not match expectations while getting initial credentials default_realm is set in /etc/krb5.conf, but kinit reads the domain part of the username and overrides the default_realm setting. Avoiding the domain part works: > $ kinit derfian > Password for derfian@LAB.LKPG.CENDIO.SE: > $ As well as specifying the domain part in the proper upper case. > $ kinit derfian@LAB.LKPG.CENDIO.SE > Password for derfian@LAB.LKPG.CENDIO.SE: > $ I have not yet found a setting in krb5.conf that would allow these types of usernames. Neither setting dns_lookup_realm = True, rdns = true, nor adding a lower-case realm works as expected.
