SSH with Kerberos Authentication

Hello guys, Here I'll explain how to configure ssh with Kerberos authentication, here we'll use AD as our Kerberos database.

Prepare your system with the follow script file http://wiki.douglasqsantos.com.br/doku.php/confinicialjessie_en

We need to update our repositories.

apt-get update 

We need to change some environment variables for don't as us about configuration files, because we'll change it after installation.

export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive

Let's install our dependences as requested for our configuration

apt-get install samba samba-common smbclient winbind krb5-config libpam-krb5 \
libnss-winbind krb5-user libsasl2-modules-gssapi-mit ssh-krb5 -y

Let's back our environment variables to default

unset DEBIAN_PRIORITY
unset DEBIAN_FRONTEND

Now we need to set up the dns server like that, please change this configuration for your domain and ip address.

vim /etc/resolv.conf
search douglasqsantos.com.br
domain douglasqsantos.com.br
nameserver 192.168.1.250

We need to update our date and time with our pdc because kerberos doesn't accept difference between client and server.

ntpdate -u 192.168.1.250

Now let's backup our kerberos client file before we change it.

cp -Rfa /etc/krb5.conf{,.bkp}

Let's set up our configuration for kerberos client like that

vim /etc/krb5.conf
[libdefaults]
       default_realm = DOUGLASQSANTOS.COM.BR
       krb4_config = /etc/krb.conf
       krb4_realms = /etc/krb.realms
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true
       v4_instance_resolve = false
       fcc-mit-ticketflags = true
       default_keytab_name = FILE:/etc/krb5.keytab
v4_name_convert = {
      host = {
        rcmd = host
        ftp = ftp
      }
      plain = {
        something = something-else
      }
}
      fcc-mit-ticketflags = true
[realms]
DOUGLASQSANTOS.COM.BR = {
      kdc = 192.168.1.250
      admin_server = 192.168.1.250:749
      default_server = 192.168.1.250
}
[domain_realm]
      .douglasqsantos.com.br = DOUGLASQSANTOS.COM.BR
      douglasqsantos.com.br  = DOUGLASQSANTOS.COM.BR
[login]
      krb4_convert = true
      krb4_get_tickets = false
[kdc]
      profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
      realm = douglasqsantos.com.br
      ticket_lifetime = 1d
      renew_lifetime = 1d
      forwardable = true
      proxiable = false
      retain_after_close = false
      minimum_uid = 1000
      try_first_pass = true
      ignore_root = true
      debug = false
}
[logging]
      default = file:/var/log/krb5libs.log
      kdc = file:/var/log/krb5kdc.log
      admin_server = file:/var/log/kadmind.log

We need to change our system limits to samba to prevent we get some warnings about it.

vim /etc/security/limits.conf
[...]
root hard nofile 131072
root soft nofile 65536
mioutente hard nofile 32768
mioutente soft nofile 16384

Now let's backup our samba configuration file.

cp -Rfa /etc/samba/smb.conf{,.bkp}

Let's set up our samba configuration file like that.

vim /etc/samba/smb.conf
[global]
      workgroup = DOUGLASQSANTOS
      realm = douglasqsantos.com.br
      netbios name = CLIENT01
      server string = CLIENT01
      security = ADS
      auth methods = winbind
      kerberos method = secrets and keytab
      winbind refresh tickets = yes
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      load printers = No
      printing = bsd
      printcap name = /dev/null
      disable spoolss = Yes
      local master = No
      domain master = No
      winbind cache time = 15
      winbind enum users = Yes
      winbind enum groups = Yes
      winbind use default domain = Yes
      idmap config * : range = 10000-15000
      idmap config * : backend = tdb
      template shell = /bin/bash
      template homedir = /home/%U

Now let's backup our nsswitch.conf file that control where we'll seek our users and groups.

cp /etc/nsswitch.conf{,.bkp}

Let's set up our configuration file like that

vim /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Let's backup our PAM files, because if we change something and we make some mistake we can get big problems as can't logon in our system again. Agora vamos fazer um backup dos arquivos da pam.d

cp -Rfa /etc/pam.d{,.bkp}

Let's set up our common-account file that control our user accounts, here we'll seek first on local base /etc/passwd after that we'll seek on winbind.

vim /etc/pam.d/common-account
#/etc/pam.d/common-account
account         [success=2 new_authtok_reqd=done default=ignore]   pam_unix.so 
account         [success=1 new_authtok_reqd=done default=ignore]   pam_winbind.so 
account         requisite                                          pam_deny.so
account         required                                           pam_permit.so
account         required                                           pam_krb5.so minimum_uid=1000

Let's set up our common-auth file that control our authentication, here we'll seek first on kerberos database to prevent need to put two times our password as happen when we use other authentication way first.

vim /etc/pam.d/common-auth
#/etc/pam.d/common-auth
auth             [success=3 default=ignore]            pam_krb5.so minimum_uid=1000
auth             [success=2 default=ignore]            pam_unix.so nullok_secure try_first_pass
auth             [success=1 default=ignore]            pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth             requisite                             pam_deny.so
auth             required                              pam_permit.so

Let's set up our common-password file that control our passwords, first let's seek on local base /etc/password and otherwise we can't change our local passwords.

vim /etc/pam.d/common-password
#/etc/pam.d/common-password
password         sufficient                            pam_unix.so obscure sha512
password         [success=2 default=ignore]            pam_krb5.so minimum_uid=1000
password         [success=1 default=ignore]            pam_winbind.so use_authtok try_first_pass
password         requisite                             pam_deny.so
password         required                              pam_permit.so

Let's set up our common-session file that control our user sessions and let's set up when a new user establish a session with the system will be create your home directory.

vim /etc/pam.d/common-session
#/etc/pam.d/common-session
session         [default=1]                            pam_permit.so
session         requisite                              pam_deny.so
session         required                               pam_permit.so
session         required                               pam_unix.so
session         optional                               pam_krb5.so minimum_uid=1000
session         optional                               pam_winbind.so
session         optional                               pam_mkhomedir.so skel=/etc/skel umask=077

Let's set up our ssh configuration file, and we need to enable only root user and users belongs to sudo group can establish a ssh session with the system.

vim /etc/pam.d/sshd
#/etc/pam.d/sshd
auth           required                               pam_env.so # [1]
auth           required                               pam_env.so envfile=/etc/default/locale
@include       common-auth
account        required                               pam_nologin.so
account        sufficient                             pam_succeed_if.so user ingroup root
account        requisite                              pam_succeed_if.so user ingroup sudo
@include       common-account
@include       common-session
session        optional                               pam_motd.so  motd=/run/motd.dynamic noupdate
session        optional                               pam_motd.so # [1]
session        optional                               pam_mail.so standard noenv # [1]
session        required                               pam_limits.so
@include       common-password

Let's set up our ssh configuration file, and we need to enable only root user and users belongs to sudo group can establish a local session with the system.

vim /etc/pam.d/login
#/etc/pam.d/login
auth          optional                                pam_faildelay.so  delay=3000000
auth          [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth          requisite                               pam_nologin.so
account       sufficient                              pam_succeed_if.so user ingroup root
account       requisite                               pam_succeed_if.so user ingroup sudo
session       [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session       required                                pam_env.so readenv=1
session       required                                pam_env.so readenv=1 envfile=/etc/default/locale
@include      common-au 
auth          optional                                pam_group.so
session       required                                pam_limits.so
session       optional                                pam_lastlog.so
session       optional                                pam_motd.so  motd=/run/motd.dynamic
session       optional                                pam_motd.so
session       optional                                pam_mail.so standard
@include      common-account
@include      common-session
@include      common-password
session       [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

Let's restart the samba and winbind services

/etc/init.d/samba restart
/etc/init.d/winbind restart

We need to create a new ticket to kerberos

kinit douglas

Let's list our ticket

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: douglas@douglasqsantos.com.br

Valid starting       Expires              Service principal
22-08-2014 12:00:46  22-08-2014 22:00:48  krbtgt/douglasqsantos.com.br@douglasqsantos.com.br
  renew until 23-08-2014 12:00:46

Now we need to join our machine to domain like that.

net ads join createupn=host/$(hostname).douglasqsantos.com.br@douglasqsantos.com.br -S dc01.douglasqsantos.com.br -k

if need to test with debug

net ads join createupn=host/$(hostname).douglasqsantos.com.br@douglasqsantos.com.br -S dc01.douglasqsantos.com.br -k --debuglevel=5

Above a used the variable hostname to get the hostname for our machine on kerberos database and use the -S to put our PDC and the -k to use the current ticket to kerberos.

We need to change the permission to krb5.keytab file like this

chmod 664 /etc/krb5.keytab

Let's restart samba and winbind services again to reload all configuration after the join.

/etc/init.d/samba restart
/etc/init.d/winbind restart

As we join our machine on domain we can use the ad users to authenticate on Linux box, and we need to enable our user to use sudo like this.

gpasswd -a douglas sudo

Now we need to configure the ssh server to use the kerberos configuration like this

vim /etc/ssh/sshd_config 
[...]
# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

[...]
#Let's put the follow lines in the end the file
AllowGroups sudo
# GSSAPI key exchange (added by ssh-krb5 transitional package)
GSSAPIKeyExchange yes
#Disable dns resolution
UseDNS no

Now we can configure our ssh client to use kerberos as well.

vim /etc/ssh/ssh_config
[...]
#We need to put the follow line in the end of file like this
      SendEnv LANG LC_*
      HashKnownHosts yes
      StrictHostKeyChecking no
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes

Let's restart the ssh service to reload the new changes.

/etc/init.d/ssh restart

Let's test our authentication

Doing the login with a domain user like this, here I used the -p to set the port number as 22022

ssh douglas@172.31.0.93 -p 22022
Password: 
Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 22 11:31:28 2014 from 172.31.0.245
douglas@client01:~$ 

Now we can list our tickets to user douglas that we've just made login.

klist 
Ticket cache: FILE:/tmp/krb5cc_10001_d8JcfN
Default principal: douglas@douglasqsantos.com.br

Valid starting       Expires              Service principal
22-08-2014 12:11:40  22-08-2014 22:11:40  krbtgt/douglasqsantos.com.br@douglasqsantos.com.br
  renew until 23-08-2014 12:11:40

As we can see here on the keytab has ticket to our machine

klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-crc) 
   2 host/client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-md5) 
   2 host/client01.douglasqsantos.com.br@douglasqsantos.com.br (arcfour-hmac) 
   2 host/client01@douglasqsantos.com.br (des-cbc-crc) 
   2 host/client01@douglasqsantos.com.br (des-cbc-md5) 
   2 host/client01@douglasqsantos.com.br (arcfour-hmac) 
   2 client01$@douglasqsantos.com.br (des-cbc-crc) 
   2 client01$@douglasqsantos.com.br (des-cbc-md5) 
   2 client01$@douglasqsantos.com.br (arcfour-hmac)

As we can see our ticket is ok so far

Now let's try our authentication using the kerberos ticket against local ssh server

ssh -k client01
Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 22 12:11:40 2014 from 172.31.0.245
douglas@client01:~$ 

We can see that we don't get any problems so far, if the system ask about password we can use the debug mode like that to see that is happening.

ssh -kv client01
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to client01 [172.31.0.93] port 22022.
debug1: Connection established.
debug1: identity file /home/douglas/.ssh/id_rsa type -1
debug1: identity file /home/douglas/.ssh/id_rsa-cert type -1
debug1: identity file /home/douglas/.ssh/id_dsa type -1
debug1: identity file /home/douglas/.ssh/id_dsa-cert type -1
debug1: identity file /home/douglas/.ssh/id_ecdsa type -1
debug1: identity file /home/douglas/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 23:77:e5:75:6f:9f:30:37:5d:ca:66:c4:b0:ce:94:82
debug1: Host '[client01]:22022' is known and matches the ECDSA host key.
debug1: Found key in /home/douglas/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to client01 ([172.31.0.93]:22022).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_PAPER = pt_BR.UTF-8
debug1: Sending env LC_ADDRESS = pt_BR.UTF-8
debug1: Sending env LC_MONETARY = pt_BR.UTF-8
debug1: Sending env LC_NUMERIC = pt_BR.UTF-8
debug1: Sending env LC_TELEPHONE = pt_BR.UTF-8
debug1: Sending env LC_MESSAGES = pt_BR.UTF-8
debug1: Sending env LC_COLLATE = pt_BR.UTF-8
debug1: Sending env LC_IDENTIFICATION = pt_BR.UTF-8
debug1: Sending env LANG = pt_BR.UTF-8
debug1: Sending env LC_MEASUREMENT = pt_BR.UTF-8
debug1: Sending env LC_CTYPE = pt_BR.UTF-8
debug1: Sending env LC_TIME = pt_BR.UTF-8
debug1: Sending env LC_NAME = pt_BR.UTF-8
Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 22 12:16:01 2014 from client01.douglasqsantos.com.br
douglas@client01:~$ 

Now to get login in other machine using the kerberos need to add it in our local keytab, the follow command need to be executed as root.

Note: The machine that we'll add need to be in our domain like the machine that we've just set up.

net ads keytab add host/client02.douglasqsantos.com.br@douglasqsantos.com.br

After add the new machine we can check it's the new record on keytab with the follow command.

klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-crc) 
   2 host/client01.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-md5) 
   2 host/client01.douglasqsantos.com.br@douglasqsantos.com.br (arcfour-hmac) 
   2 host/client01@douglasqsantos.com.br (des-cbc-crc) 
   2 host/client01@douglasqsantos.com.br (des-cbc-md5) 
   2 host/client01@douglasqsantos.com.br (arcfour-hmac) 
   2 client01$@douglasqsantos.com.br (des-cbc-crc) 
   2 client01$@douglasqsantos.com.br (des-cbc-md5) 
   2 client01$@douglasqsantos.com.br (arcfour-hmac) 
   2 host/client02.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-crc) 
   2 host/client02.douglasqsantos.com.br@douglasqsantos.com.br (des-cbc-md5) 
   2 host/client02.douglasqsantos.com.br@douglasqsantos.com.br (arcfour-hmac)

We can see now more 3 lines in our file that refer to new host and we have the trust relation between them.

Now let's login again with the domain user in our maquine and let's test the connection with the server.

Note: As we've just added the new host is better do the logout and login again

ssh douglas@172.31.0.93 -p 22022
Password: 
Linux client01 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 22 12:16:42 2014 from client01.douglasqsantos.com.br
douglas@client01:~$

Let's list our kerberos tickets

klist 
Ticket cache: FILE:/tmp/krb5cc_10001_VDoRbW
Default principal: douglas@douglasqsantos.com.br

Valid starting       Expires              Service principal
22-08-2014 12:21:32  22-08-2014 22:21:32  krbtgt/douglasqsantos.com.br@douglasqsantos.com.br
  renew until 23-08-2014 12:21:32

Now let's login on ssh in the host that we've just added.

ssh -k client02.douglasqsantos.com.br
Linux client02 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 22 10:51:52 2014 from 172.31.0.245
douglas@client02:~$ 

We can see that the system doesn't request password because we're using the kerberos ticket.

Let's check in auth log on the machine client02 to see that happened.

tail -f /var/log/auth.log
[...]
Aug 22 12:23:34 client02 sshd[21997]: Authorized to douglas, krb5 principal douglas@douglasqsantos.com.br (krb5_kuserok)
Aug 22 12:23:34 client02 sshd[21997]: pam_succeed_if(sshd:account): requirement "user ingroup root" not met by user "douglas"
Aug 22 12:23:34 client02 sshd[21997]: pam_succeed_if(sshd:account): requirement "user ingroup sudo" was met by user "douglas"
Aug 22 12:23:34 client02 sshd[21997]: Accepted gssapi-with-mic for douglas from 172.31.0.93 port 60524 ssh2
Aug 22 12:23:34 client02 sshd[21997]: pam_unix(sshd:session): session opened for user douglas by (uid=0)

As we can see our authentication was authorized to krb5 with our ticket, to each new machine we need to add our clients on local keytab to create the trust relation.

The sudo doesn't support kerberos so far, but we can enable the sudo to doesn't ask about the password if we're authenticated.

vim  /etc/sudoers
[...]
#Comment the line below.
#%sudo  ALL=(ALL:ALL) ALL
#Add the follow line
%sudo ALL = NOPASSWD: ALL

Now we need to create a new directory to put our scripts

mkdir /srv/scripts

To update our database we can use the follow script, we can also that need to create a user as kerberos with the follow password krb@134* to update the keytab.

vim /srv/scripts/update-kerberos-database.sh
#!/bin/bash

CAT="/bin/cat"
CD="cd"
HOSTNAME=$(hostname -f)
WGET="/usr/bin/wget"
FILE="http://www.douglasqsantos.com.br/Downloads/hosts.txt"
NET="/usr/bin/net"
RM="/bin/rm"
USER="kerberos"
PASSWORD="krb@134*"
KINIT="/usr/bin/kinit"
KDESTROY="/usr/bin/kdestroy"

${KDESTROY}

${KINIT} ${USER} << EOF
${PASSWORD}
EOF

${CD} /tmp
${WGET} -c ${FILE}
for END in $(${CAT} /tmp/hosts.txt | egrep -v ${HOSTNAME}); do
${NET} ads keytab add ${END}
done

${RM} -rf /tmp/hosts.txt

${KDESTROY}

Now we need to create the file with the server on the web server like this.

vim /var/www/wiki/Downloads/hosts.txt
host/bkp01.douglasqsantos.com.br@douglasqsantos.com.br
host/dns01.douglasqsantos.com.br@douglasqsantos.com.br
host/mtz01.douglasqsantos.com.br@douglasqsantos.com.br
host/vpn01.douglasqsantos.com.br@douglasqsantos.com.br
host/fw01.douglasqsantos.com.br@douglasqsantos.com.br

I'm considering that the Document root to our web server is /var/www/wiki and it'll see the follow url: http://www.douglasqsantos.com.br/Downloads/hosts.txt

Now let's set the permission to our script

chmod 755 /srv/scripts/update-kerberos-database.sh

Note: For each new nserver add on domain we need to update the hosts.txt that is on the follow url:http://www.douglasqsantos.com.br/Downloads/hosts.txt , to sort the file we can use on vim :sort u

Now we need to put this script on crontab like this

crontab -e
[...]
0 */8     *       *       *        /srv/scripts/update-kerberos-database.sh

We can test the script to check if we don't have any problem so far.

/srv/scripts/update-kerberos-database.sh

Note: To use the new keytab we need to use kdestroy and create a new ticket with the follow command kinit

Authentication problems

  1. Check the date and time between the server and the pdc because kerberos doesn't accept a more than 2 minutes of difference between them if we need to update the data use the follow command: ntpdate -u 192.168.1.250 if the pdc is using the ip 192.168.1.250
  2. Check the connection between the server and the pdc with the follow command wbinfo -t with the follow command we need to get a succeeded
  3. Check the packets that was installed and make sure that nothing is missing
  4. Check the host of the keytab with the follow command klist -ke we only get the servers on local keytab
  5. Check the configuration to ssh_config and sshd_config
  6. Check the dns resolution because kerberos use the dns to get the pdc and kerberos kdc
  7. If we need to remove the machine from domain we can use the follow command line net ads leave -U usuario after that check if the machine was removed from AD and join it again
  8. When remove a machine from a domain it better remove the /etc/krb5.keytab because it'll be generated when put the machine again on domain
  9. If was migrated the machine from other site or a backup don't forget to check the follow file /etc/hosts if it's with the right data.

Leaving the machine from domain

net ads leave -U douglas

Removing the keytab

rm -rf /etc/krb5.keytab 

Let's create a new ticket to our user douglas

kinit douglas

Let's put the the machine on domain again

net ads join createupn=host/client01.douglasqsantos.com.br@douglasqsantos.com.br -S dc01.douglasqsantos.com.br -k

Let's change the permission to keytab

chmod 664 /etc/krb5.keytab

Let's restart the services winbind and samba as well.

/etc/init.d/winbind restart
/etc/init.d/samba restart

Let's check the connection with our domain

wbinfo -t
checking the trust secret for domain DOUGLASQSANTOS via RPC calls succeeded

Let's update our hosts to keytab

/srv/scripts/update-kerberos-database.sh

References