Kerberos/SASL/LDAP/Windows - Message Stream Modified

degnan78 degnan78 at
Tue Oct 3 07:32:48 EDT 2006

Hi folks, 

I'm trying to implement a SSO solution so that my Unix systems can
authenticate off my Windows Server 2003 R2 domain controllers.  I liked this
approach because it's secure, doesn't necessarily need the extra overhead of
SSL/TLS, and I don't have to put a bind user's password in the ldap.conf
file.  I have tried following instructions on several websites, including
these forums on Nabble as well as a Microsoft document: 

In any case, I feel like I'm pretty close to getting it working, but I keep
getting a nagging error message in /var/log/messages: 

GSSAPI error: miscellaneous failure (message stream modified) 

I created a user account in AD for the Linux system, then I used ktpass to
generate a key table, then copied that to /etc/krb5.keytab on the Linux box. 
I can run "kinit -k" to get a TGT from AD without having to supply a
password, and I can see the AD accounts when I run 'getent passwd', but I
cannot ssh as an AD user. 

When this failed, I tried Microsoft's suggestion to use css_adkadmin to
create the account and keytab from the Linux system, but this also resulted
in the same problem. 

Here is my krb5.conf for your viewing pleasure: 

 default = FILE:/var/log/krb5libs.log 
 kdc = FILE:/var/log/krb5kdc.log 
 admin_server = FILE:/var/log/kadmind.log 

 default_realm = EXAMPLE.COM 
 dns_lookup_realm = false 
 dns_lookup_kdc = false 
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc 
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc 

  kdc = 
  kdc = 
  admin_server = 
  default_domain = 

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM 

 profile = /var/kerberos/krb5kdc/kdc.conf 

 pam = { 
   debug = false 
   ticket_lifetime = 36000 
   renew_lifetime = 36000 
   forwardable = true 
   krb4_convert = false 
   validate = true 

And here is my ldap.conf (comments excluded): 

base dc=example,dc=com 
use_sasl on 
rootuse_sasl yes 
krb5_ccname /tmp/krb5cc_0 
sasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com 
rootsasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com 
scope sub 
timelimit 30 
bind_timelimit 30 
bind_policy soft 
idle_timelimit 3600 
nss_base_passwd dc=example,dc=com?sub 
nss_base_shadow dc=example,dc=com?sub 
nss_base_group dc=example,dc=com?sub 
nss_map_objectclass posixAccount user 
nss_map_objectclass shadowAccount user 
nss_map_attribute uid sAMAccountName 
nss_map_attribute homeDirectory unixHomeDirectory 
nss_map_attribute shadowLastChange pwdLastSet 
nss_map_objectclass posixGroup group 
nss_map_attribute uniqueMember member 
nss_map_attribute gecos cn 
pam_login_attribute sAMAccountName 
pam_filter objectclass=User 
pam_password ad 
sasl_secprops maxssf=0 
ssl no 

I have tried using the bundled versions of Kerberos 5, Cyrus-SASL, OpenLDAP,
and PADL's nss_ldap.  I have also downloaded and installed the latest
versions of the above software, but the error message still showed up.  Any

View this message in context:
Sent from the Kerberos - General mailing list archive at

More information about the Kerberos mailing list