having difficulty setting up a linux client with Win2k KDC

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Mon Oct 27 10:42:09 EST 2003


I suspect your telnet and ftp client is trying to obtain a service ticket for a principal called host/localhost at REALM so try using :

# ftp afs-test.myrealm.com 

Instead of :

# ftp localhost

Thanks, Tim.

-----Original Message-----
From: Mehta, Rohit [mailto:rohitm at engr.uconn.edu] 
Sent: 27 October 2003 14:38
To: kerberos at mit.edu
Subject: having difficulty setting up a linux client with Win2k KDC

Hi guys, I am fairly new to kerberos and I would like to set up Linux clients to use a Win2k KDC.  We have an active directory, and I have a Debian (Woody) system with the following packages installed:

afs-test:/home/ro# dpkg -l |grep krb5
ii  krb5-admin-ser 1.2.4-5woody4  Mit Kerberos master server (kadmind)
ii  krb5-clients   1.2.4-5woody4  Secure replacements for ftp, telnet and rsh
ii  krb5-config    1.4            Configuration files for Kerberos Version 5
ii  krb5-doc       1.2.4-5woody4  Documentation for krb5
ii  krb5-ftpd      1.2.4-5woody4  Secure FTP server supporting MIT Kerberos
ii  krb5-kdc       1.2.4-5woody4  Mit Kerberos key server (KDC)
ii  krb5-rsh-serve 1.2.4-5woody4  Secure replacements for rshd and rlogind  us
ii  krb5-telnetd   1.2.4-5woody4  Secure telnet server supporting MIT Kerberos
ii  krb5-user      1.2.4-5woody4  Basic programs to authenticate using MIT Ker
ii  libkrb5-dev    1.2.4-5woody4  Headers and development libraries for MIT Ke
ii  libkrb53       1.2.4-5woody4  MIT Kerberos runtime libraries
ii  libpam-krb5    1.0-7          PAM module for MIT Kerberos
ii  openafs-krb5   1.3-8          The AFS distributed filesystem- Kerberos 5 I
ii  ssh-krb5       3.4p1-0woody4  Secure rlogin/rsh/rcp replacement (OpenSSH w

kinit and kpasswd actually work, but telnet and ftp do not.
This is what my krb5.conf looks like:

        default_realm = MYREALM.COM

        default_tgs_enctypes = des-cbc-md5
        default_tkt_enctypes = des-cbc-md5
        permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-crc

        kdc = myactivedirectorycontroller.myrealm.com
        admin_server = myactivedirectorycontroller.myrealm.com

        myrealm.com = MYREALM.COM

I created a keytab for afstest.myrealm.com on the DC and installed it on this client in /etc/krb5.keytab. it looks something like this:

afs-test:/home/ro# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/afs-test.myrealm.com at MYREALM.COM

So hopefully I did all of that stuff correctly, back to the problem.  When I do kinit user at MYREALM.COM and authenticate successfully, it works.
However after that, if I do telnet localhost or ftp localhost, I cannot authenticate.  This can be seen:

telnet 1
afs-test:/home/ro# telnet localhost
Connected to localhost (
Escape character is '^]'.
telnetd: No authentication provided.
Connection closed by foreign host.

telnet try2
afs-test:/home/ro# telnet -xF localhost
Connected to localhost (
Escape character is '^]'.
Waiting for encryption to be negotiated...

Authentication negotation has failed, which is required for encryption.  Good bye.

ftp try 1
afs-test:/home/ro# ftp localhost
Connected to localhost.
220 afs-test.myrealm.com FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: Server not found in Kerberos database GSSAPI error: initializing context GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Name (localhost:ro):

Please let me know if you would like more information. I would be very grateful for any assistance at all in this matter.


Rohit Kumar Mehta

Kerberos mailing list           Kerberos at mit.edu

More information about the Kerberos mailing list