help with Active Directory Kerberos authentication

Rohit Kumar Mehta rohitm at
Fri Oct 6 18:05:32 EDT 2006

Hi guys, I am still having trouble with some authentication issues using 
the AD kerberos server.  I can ssh to my Debian/Etch machine using 
Active Directory credentials, but I cannot login with a Kerberos ticket. 
  kinit works and klist shows the following:

nfsv4etch:~# kinit rohitm
Password for rohitm at AD.ENGR.UCONN.EDU:
nfsv4etch:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rohitm at AD.ENGR.UCONN.EDU

Valid starting     Expires            Service principal
10/06/06 17:48:12  10/07/06 03:49:59 
         renew until 10/07/06 17:48:12

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Kerberized telnet does not seem to work.

nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
Connected to nfsv4etch (
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.

Also if I type ssh rohitm at nfsv4etch, it prompts me for my password.
I was hoping it would just let me in with my ticket.
I have set the following options in /etc/ssh/sshd_config

KerberosAuthentication yes
#KerberosGetAFSToken yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

and /home/rohitm/.k5login contains the user "rohitm at AD.ENGR.UCONN.EDU"

The following packages are installed:

ii  krb5-clients             1.4.4-1              Secure replacements 
for ftp, telnet and rsh
ii  krb5-config              1.10                 Configuration files 
for Kerberos Version 5
ii  krb5-rsh-server          1.4.4-1              Secure replacements 
for rshd and rlogind usi
ii  krb5-telnetd             1.4.4-1              Secure telnet server 
supporting MIT Kerberos
ii  krb5-user                1.4.4-1              Basic programs to 
authenticate using MIT Ker
ii  libkrb5-17-heimdal       0.7.2.dfsg.1-4       Libraries for Heimdal 
ii  libkrb53                 1.4.4-1              MIT Kerberos runtime 
ii  libpam-krb5              2.0-1                PAM module for MIT 

I also created a user named "nfsv4etch" in the Active Directory and
did the following to generate an /etc/krb5.keytab file.

Z:\krb>ktpass -princ host/ at AD.ENGR.UCONN.EDU 
-mapuser nfsv4etch -crypto DES-CBC-MD5 -pass password -ptype 
Targeting domain controller:
Using legacy password setting method
Successfully mapped host/ to nfsv4etch.
Key created.
Output keytab to unixmachine.keytab2:
Keytab version: 0x502
keysize 74 host/ at AD.ENGR.UCONN.EDU ptype 1 
(KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 

Can anyone think of what I am missing?  I was hoping this would be easy!

Thanks in advance for any help.


More information about the Kerberos mailing list