Problem with MIT Kerberos v1.4, OpenSSH 3.9p1 and Active Directory

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Feb 10 13:39:58 EST 2005 

You can perform a network trace from AD with netmon.exe to see
whether or not you are using TCP.  You should be otherwise you
would not get a response.  If you are getting ASN.1 ending
unexpectedly it sounds like a buffer is being truncated somewhere.

Jeffrey Altman


Sam Evans wrote:
> All:
> 
> I seem to have run into a road block getting my Linux machines to 
> authenticate against AD when coming in through OpenSSH.
> 
> First, let me start off my listing what my environmnet is:
> 
> Test Client:
> * RHEL Linux
> * MIT Kerboros v1.4
> * OpenSSH v3.9p1 - Compiled using the following line:
> ../configure --with-tcp-wrappers --with-pam 
> --with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr 
> --sysconfdir=/etc/ssh
> 
> Active Directory:
> * Windows 2003
> 
> Scenario 1:
> 
> If I use my local account and password, I can get into the machine OK. I 
> know that OpenSSH is functioning properly.  At this point, if I do a 
> 'kinit' I can successfully authenticate myself against AD and obtain my 
> Keberos5 ticket.
> 
> Scenario 2:
> 
> If I change my account information to require that authentication take 
> place using Kerberos, then I get the following error from the ssh daemon:
> 
> debug1: Kerberos password authentication failed: ASN.1 encoding ended 
> unexpectedly
> 
> -- What I have been able to determine at this point is that if I remove 
> my userid from the multitude of groups that it belongs to in AD, then I 
> *can* successfully authenticate myself when I come in through OpenSSH, 
> using Kerberos.
> 
> -- If I place myself back into the same groups, I cannot authenticate 
> myself and get the above error.
> 
> In doing some reading, it appears as if I need to force TCP usage in the 
> MIT Kerberos, which I have done.  Everything still works when I do 
> 'kinit' but nothing has changed in regards to OpenSSH authentication 
> ability.
> 
> Anyone have any thoughts or suggestions?
> 
> Thanks,
> Sam
> P

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list