Authentication to ADS

Rechenberg, Andrew ARechenberg at shermanfinancialgroup.com
Fri Jun 28 09:56:05 EDT 2002


I have successfully authenticated users on Red Hat Linux 7.1-7.3 to an
ADS.  One must create a service mapping in the Active Directory and then
import the keytab into the Linux /etc/krb5.keytab file.

I followed the instructions on the 'Step-by-Step Guide to Kerberos 5
Interoperability; page at Microsoft
(http://www.microsoft.com/windows2000/techinfo/planning/security/kerbste
ps.asp).  Follow the steps in the 'Using Kerberos Clients' section.

I had to specify the type of crypto to use with the Windows 'ktpass'
command to get it working correctly.  I always forget whether to specify
'-crypto des-cbc-crc' or '-crypto des-cbc-md5'  I believe it is the
former.  I also had to specify the tgs and tgt_enctypes in my krb5.conf
file (a copy of which is below).

Once I imported my keytab I could then retrieve tickets from the Win2K
KDC, and using 'ms2mit.exe' from the MIT KfW package, I could use a
Win32 Kerberized Telnet client (Kermit95) to login to the telnet service
on our Linux box without providing authentication info and the session
was encrypted.

Follow the instructions in the document linked to above (don't forget
the '-crypto' switch), modify your krb5.conf, and you should be all set.

Hope this helps,
Andy.

Andrew Rechenberg
Infrastructure Team, Sherman Financial Group
Arechenberg (at) shermanfinancialgroup.com

********************* krb5.conf **************************

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = MYDOMAIN.COM
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 forwardable = true
 proxiable = true

[realms]
 SHERMFIN.COM = {
  kdc = mykdc.mydomain.com:88
  default_domain = mydomain.com
 }

[domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
'


-----Original Message-----
From: Kurt A Bolko [mailto:bolkk000 at unbc.ca] 
Sent: Monday, June 24, 2002 4:32 PM
To: kerberos at mit.edu
Subject: Authentication to ADS



Hello,

I was wondering if anyone had successfully authenticated a kerberos
client 
on linux/solaris/sgi to a windows ADS server?  If so what information
did 
you require from the ADS configuration to properly configure the linux 
client?

What I'm attempting to do is to authenticate a client through pam to an 
ADS server.  This is an attempt to create a single login for all users
on 
our network, thus eliminating our linux ldap server.

Thanks,

-- 
Kurt

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list