help with Active Directory Kerberos authentication

Rohit Kumar Mehta rohitm at
Tue Oct 10 17:21:25 EDT 2006

Russ Allbery wrote:

> You aren't seeing host tickets.  So it looks to me like the problem is
> that you can't obtain host/ at AD.ENGR.UCONN.EDU
> tickets from AD.
> You should be able to test this directly by running:
>     kinit -S host/ rohitm at AD.ENGR.UCONN.EDU
> to obtain host credentials rather than the normal krbtgt credentials.  My
> guess is that you'll find that the host crendentials are not in AD for
> some reason.
> This will indeed affect both telnet and ssh.

I tried that command and it seems to work:
nfsv4etch:~# kinit -S host/ rohitm at AD.ENGR.UCONN.EDU
Password for rohitm at AD.ENGR.UCONN.EDU:
nfsv4etch:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rohitm at AD.ENGR.UCONN.EDU

Valid starting     Expires            Service principal
10/10/06 17:19:07  10/11/06 03:19:12 
         renew until 10/11/06 17:19:07

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

However even with the host credentials, I can't get in:

nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm
Connected to (
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.
nfsv4etch:~# ssh rohitm at
rohitm at's password:
Permission denied, please try again.
rohitm at's password:
Permission denied, please try again.
rohitm at's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

I am pretty sure I put the host creds in the AD and generated the keytab 
for use on the Linux client.  Is there a way to check if my keytab is 
nfsv4etch:~# strings /etc/krb5.keytab

Also could it be a problem that I am behind a NAT server.

More information about the Kerberos mailing list