Problem with MIT Kerberos v1.4, OpenSSH 3.9p1 and Active Directory

Douglas E. Engert deengert at
Thu Feb 10 14:20:48 EST 2005

Sam Evans wrote:

> All:
> I seem to have run into a road block getting my Linux machines to 
> authenticate against AD when coming in through OpenSSH.
> First, let me start off my listing what my environmnet is:
> Test Client:
> * RHEL Linux
> * MIT Kerboros v1.4
> * OpenSSH v3.9p1 - Compiled using the following line:
> ./configure --with-tcp-wrappers --with-pam 
> --with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr 
> --sysconfdir=/etc/ssh
> Active Directory:
> * Windows 2003
> Scenario 1:
> If I use my local account and password, I can get into the machine OK. I 
> know that OpenSSH is functioning properly.  At this point, if I do a 
> 'kinit' I can successfully authenticate myself against AD and obtain my 
> Keberos5 ticket.
> Scenario 2:
> If I change my account information to require that authentication take 
> place using Kerberos, then I get the following error from the ssh daemon:
> debug1: Kerberos password authentication failed: ASN.1 encoding ended 
> unexpectedly

Do you have any more of the sshd trace?

> -- What I have been able to determine at this point is that if I remove 
> my userid from the multitude of groups that it belongs to in AD, then I 
> *can* successfully authenticate myself when I come in through OpenSSH, 
> using Kerberos.

> -- If I place myself back into the same groups, I cannot authenticate 
> myself and get the above error.

Sounds like a big ticket problem.  We have seen problems with AFS
(which has been reported and fixed in the CVS) when the ticket is big.

I have not seen this, and just did a test with my 2003 AD user which
is in too many groups. It worked fine with OpenSSH-3.9p1 with MIT krb5-1.4
running on Solaris. But maybe my test user is not in enough groups to cause
this problem.

> In doing some reading, it appears as if I need to force TCP usage in the 
> MIT Kerberos, which I have done.  Everything still works when I do 
> 'kinit' but nothing has changed in regards to OpenSSH authentication 
> ability.
> Anyone have any thoughts or suggestions?

The OpenSSH may be finding an older krb5 shared library, that has problems.
Does it also have PAM? Is the pam_krb5 loading an old Kerberos?

Does "ldd sshd" show that all new krb5 libs are being used?

If you run Ethereal, how big is the bad ticket vs the good ticket.

> Thanks,
> Sam
> P
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list