having difficulty setting up a linux client with Win2k KDC

Mehta, Rohit rohitm at engr.uconn.edu
Mon Oct 27 11:48:10 EST 2003

Thanks guys, I have it working now.  It looks like I was doing a couple things wrong.

1. I needed to add a domain_realm line somethign to effect of
.myrealm.com=MYREALM.COM  (lord knows why)
2. ssh localhost did not work, but ssh afs-test or afs-test.myrealm.com did work.  
3. my telnetd options in /etc/inetd.conf were a little screwey.  

-----Original Message-----
From: Peter J. Bertoncini <pjb at anl.gov>
[mailto:b15013 at achilles.ctd.anl.gov]
Sent: Monday, October 27, 2003 11:16 AM
To: kerberos at mit.edu; Mehta, Rohit
Subject: Re: having difficulty setting up a linux client with Win2k KDC

Try using:

   telnet -xF afs-test

   ftp -x afs-test
I assume you have Kerberized telnetd and ftpd properly configured in the
/etc/inetd.conf, /etc/xinetd.d or whatever mechanism Debian uses to manage
daemon services.

I suggest you configure the daemons to only allow access via an encrypted 


>content-class: urn:content-classes:message
>MIME-Version: 1.0
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Date: Mon, 27 Oct 2003 09:38:16 -0500
>Thread-Topic: having difficulty setting up a linux client with Win2k KDC
>Thread-Index: AcOcl/VnLasikkuTRqafvbCrpdrq8g==
>From: "Mehta, Rohit" <rohitm at engr.uconn.edu>
>To: <kerberos at mit.edu>
>Content-Transfer-Encoding: 8bit
>X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id 
>Subject: having difficulty setting up a linux client with Win2k KDC
>X-BeenThere: kerberos at mit.edu
>X-Mailman-Version: 2.1
>List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
>List-Help: <mailto:kerberos-request at mit.edu?subject=help>
>List-Post: <mailto:kerberos at mit.edu>
>List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>, 
<mailto:kerberos-request at mit.edu?subject=subscribe>
>List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
>List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>, 
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
>X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on  
>X-Spam-Status: No, hits=0.0 required=5.7 tests=none autolearn=no version=2.60
>Hi guys, I am fairly new to kerberos and I would like to set up Linux clients
>to use a Win2k KDC.  We have an active directory, and I have a Debian (Woody)
>system with the following packages installed:
>afs-test:/home/ro# dpkg -l |grep krb5
>ii  krb5-admin-ser 1.2.4-5woody4  Mit Kerberos master server (kadmind)
>ii  krb5-clients   1.2.4-5woody4  Secure replacements for ftp, telnet and rsh
>ii  krb5-config    1.4            Configuration files for Kerberos Version 5
>ii  krb5-doc       1.2.4-5woody4  Documentation for krb5
>ii  krb5-ftpd      1.2.4-5woody4  Secure FTP server supporting MIT Kerberos
>ii  krb5-kdc       1.2.4-5woody4  Mit Kerberos key server (KDC)
>ii  krb5-rsh-serve 1.2.4-5woody4  Secure replacements for rshd and rlogind  us
>ii  krb5-telnetd   1.2.4-5woody4  Secure telnet server supporting MIT Kerberos
>ii  krb5-user      1.2.4-5woody4  Basic programs to authenticate using MIT Ker
>ii  libkrb5-dev    1.2.4-5woody4  Headers and development libraries for MIT Ke
>ii  libkrb53       1.2.4-5woody4  MIT Kerberos runtime libraries
>ii  libpam-krb5    1.0-7          PAM module for MIT Kerberos
>ii  openafs-krb5   1.3-8          The AFS distributed filesystem- Kerberos 5 I
>ii  ssh-krb5       3.4p1-0woody4  Secure rlogin/rsh/rcp replacement (OpenSSH w
>kinit and kpasswd actually work, but telnet and ftp do not.
>This is what my krb5.conf looks like:
>        default_realm = MYREALM.COM
>        default_tgs_enctypes = des-cbc-md5
>        default_tkt_enctypes = des-cbc-md5
>        permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-crc
>        kdc = myactivedirectorycontroller.myrealm.com
>        admin_server = myactivedirectorycontroller.myrealm.com
>        myrealm.com = MYREALM.COM
>I created a keytab for afstest.myrealm.com on the DC and installed it on this 
client in /etc/krb5.keytab. it looks something like this:
>afs-test:/home/ro# klist -k
>Keytab name: FILE:/etc/krb5.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
>   1 host/afs-test.myrealm.com at MYREALM.COM
>So hopefully I did all of that stuff correctly, back to the problem.  When I do 
kinit user at MYREALM.COM and authenticate successfully, it works.
>However after that, if I do telnet localhost or ftp localhost, I cannot 
authenticate.  This can be seen:
>telnet 1
>afs-test:/home/ro# telnet localhost
>Connected to localhost (
>Escape character is '^]'.
>telnetd: No authentication provided.
>Connection closed by foreign host.
>telnet try2 
>afs-test:/home/ro# telnet -xF localhost
>Connected to localhost (
>Escape character is '^]'.
>Waiting for encryption to be negotiated...
>Authentication negotation has failed, which is required for
>encryption.  Good bye.
>ftp try 1
>afs-test:/home/ro# ftp localhost
>Connected to localhost.
>220 afs-test.myrealm.com FTP server (Version 5.60) ready.
>334 Using authentication type GSSAPI; ADAT must follow
>GSSAPI accepted as authentication type
>GSSAPI error major: Miscellaneous failure
>GSSAPI error minor: Server not found in Kerberos database
>GSSAPI error: initializing context
>GSSAPI authentication failed
>334 Using authentication type KERBEROS_V4; ADAT must follow
>KERBEROS_V4 accepted as authentication type
>Kerberos V4 krb_mk_req failed: You have no tickets cached
>Name (localhost:ro):
>Please let me know if you would like more information. I would be very grateful 
for any assistance at all in this matter.
>Rohit Kumar Mehta
>Kerberos mailing list           Kerberos at mit.edu

More information about the Kerberos mailing list