Linux authentication using Kerberos and AD

Ness, Todd todd.ness at
Wed Jun 16 10:37:44 EDT 2004

Also, I believe that you must either put the user into NIS or the local
files, you do not have to have a shadow entry in local files. I have not
tried via NIS yet.

On the MS side you do not need AD4Unix.

You need to install the current service packs, if 2000 you need the high
encryption pack, and Microsoft services for UNIX 3.5 I think is the current
version. In the AD user management tool you need to go to the UNIX tab and
add that user to NIS. Make sure the uid and gid match what you put into the
passwd file.

On your Linux client you need a ldap.conf something like this...
host yourhost
base dc=your,dc=ad,dc=domain
ldap_version 3
binddn cn=yourldapauthorizedaccount,cn=Users,dc=your,dc=ad,dc=domain
bindpw aboveuserspw
pam_password ad
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup group
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute gecos displayName
nss_map_attribute loginShell msSFU30LoginShell
pam_login_attribute msSFU30Name
pam_filter objectclass=User

You need to configure your files in /etc/pam.d properly
You need to add ldap to /etc/nsswitch.conf
Of course you have to setup krb5.conf kdc.conf

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On Behalf
Of Norbert Klasen
Sent: Tuesday, June 15, 2004 5:48 PM
To: Gallagher, Kevin; kerberos at
Subject: Re: Linux authentication using Kerberos and AD

--On Donnerstag, 10. Juni 2004 16:26 +0100 "Gallagher, Kevin" 
<K.Gallagher at> wrote:

> I am trying to establish single sign on using linux,AD and Kerberos. I 
> have created a test account in AD which does not exist in either local 
> files or NIS. I have created a ketyab file and imported it on my linux 
> box, configured both /etc/krb5.conf and /etc/pam.conf for my Reakm and 
> Kerberos. I can use kinit to authenticate my test account and can see 
> the TGTfor my test account as the security principle with klist. 
> However I can't see the test account with getent passwd which may 
> explain why I can't logon as the test account. The pam_krb5 error 
> indicates it can't get a uid/gid. I can authenticate if I put a 
> corresponding account in /etc/passwd or NIS but thus defeats the point 
> if the exercise. Can anyone suggest what I may have missed and what 
> needs to be edited in order for getent passwd to work?

You cannot get uid/gid information via Kerberos/PAM.
First you'll need to extend your AD to store these information (e.g. with 
Microsoft Services for UNIX). Then you can setup NSS with LDAP to retrieve 
this information from your AD. See <>

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list