help with Active Directory Kerberos authentication
Rohit Kumar Mehta
rohitm at engr.uconn.edu
Fri Oct 6 18:05:32 EDT 2006
Hi guys, I am still having trouble with some authentication issues using
the AD kerberos server. I can ssh to my Debian/Etch machine using
Active Directory credentials, but I cannot login with a Kerberos ticket.
kinit works and klist shows the following:
nfsv4etch:~# kinit rohitm
Password for rohitm at AD.ENGR.UCONN.EDU:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rohitm at AD.ENGR.UCONN.EDU
Valid starting Expires Service principal
10/06/06 17:48:12 10/07/06 03:49:59
krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU
renew until 10/07/06 17:48:12
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Kerberized telnet does not seem to work.
nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
Connected to nfsv4etch (127.0.1.1).
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.
Also if I type ssh rohitm at nfsv4etch, it prompts me for my password.
I was hoping it would just let me in with my ticket.
I have set the following options in /etc/ssh/sshd_config
and /home/rohitm/.k5login contains the user "rohitm at AD.ENGR.UCONN.EDU"
The following packages are installed:
ii krb5-clients 1.4.4-1 Secure replacements
for ftp, telnet and rsh
ii krb5-config 1.10 Configuration files
for Kerberos Version 5
ii krb5-rsh-server 1.4.4-1 Secure replacements
for rshd and rlogind usi
ii krb5-telnetd 1.4.4-1 Secure telnet server
supporting MIT Kerberos
ii krb5-user 1.4.4-1 Basic programs to
authenticate using MIT Ker
ii libkrb5-17-heimdal 0.7.2.dfsg.1-4 Libraries for Heimdal
ii libkrb53 1.4.4-1 MIT Kerberos runtime
ii libpam-krb5 2.0-1 PAM module for MIT
I also created a user named "nfsv4etch" in the Active Directory and
did the following to generate an /etc/krb5.keytab file.
Z:\krb>ktpass -princ host/nfsv4etch.engr.uconn.edu at AD.ENGR.UCONN.EDU
-mapuser nfsv4etch -crypto DES-CBC-MD5 -pass password -ptype
KRB5_NT_PRINCIPAL -out unix
Targeting domain controller: fozzie.ad.engr.uconn.edu
Using legacy password setting method
Successfully mapped host/nfsv4etch.engr.uconn.edu to nfsv4etch.
Output keytab to unixmachine.keytab2:
Keytab version: 0x502
keysize 74 host/nfsv4etch.engr.uconn.edu at AD.ENGR.UCONN.EDU ptype 1
(KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8
Can anyone think of what I am missing? I was hoping this would be easy!
Thanks in advance for any help.
More information about the Kerberos