Authentication to ADS

Rechenberg, Andrew ARechenberg at
Fri Jun 28 09:56:05 EDT 2002

I have successfully authenticated users on Red Hat Linux 7.1-7.3 to an
ADS.  One must create a service mapping in the Active Directory and then
import the keytab into the Linux /etc/krb5.keytab file.

I followed the instructions on the 'Step-by-Step Guide to Kerberos 5
Interoperability; page at Microsoft
ps.asp).  Follow the steps in the 'Using Kerberos Clients' section.

I had to specify the type of crypto to use with the Windows 'ktpass'
command to get it working correctly.  I always forget whether to specify
'-crypto des-cbc-crc' or '-crypto des-cbc-md5'  I believe it is the
former.  I also had to specify the tgs and tgt_enctypes in my krb5.conf
file (a copy of which is below).

Once I imported my keytab I could then retrieve tickets from the Win2K
KDC, and using 'ms2mit.exe' from the MIT KfW package, I could use a
Win32 Kerberized Telnet client (Kermit95) to login to the telnet service
on our Linux box without providing authentication info and the session
was encrypted.

Follow the instructions in the document linked to above (don't forget
the '-crypto' switch), modify your krb5.conf, and you should be all set.

Hope this helps,

Andrew Rechenberg
Infrastructure Team, Sherman Financial Group
Arechenberg (at)

********************* krb5.conf **************************

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 default_realm = MYDOMAIN.COM
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 forwardable = true
 proxiable = true

  kdc =
  default_domain =

[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM

 profile = /var/kerberos/krb5kdc/kdc.conf

 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

-----Original Message-----
From: Kurt A Bolko [mailto:bolkk000 at] 
Sent: Monday, June 24, 2002 4:32 PM
To: kerberos at
Subject: Authentication to ADS


I was wondering if anyone had successfully authenticated a kerberos
on linux/solaris/sgi to a windows ADS server?  If so what information
you require from the ADS configuration to properly configure the linux 

What I'm attempting to do is to authenticate a client through pam to an 
ADS server.  This is an attempt to create a single login for all users
our network, thus eliminating our linux ldap server.



Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list