help with Active Directory Kerberos authentication

Scott Ruckh sruckh at gemneye.org
Tue Oct 10 23:51:33 EDT 2006 

This is what you said Rohit Kumar Mehta
> Thanks Russ, I think you might have found something.
> I did the command you suggested ssh -ddd 2>/tmp/err.txt
> and found an interesting message in the long file it created.
>
> 	debug1: Miscellaneous failure
> 	No principal in keytab matches desired name.
>
> My krb5.keytab looks like this:
> 	nfsv4etch:~# ktutil
> 	ktutil:  rkt /etc/krb5.keytab
> 	ktutil:  l
> 	slot KVNO Principal
> 	---- ----
> ---------------------------------------------------------------------
> 	1    4 host/nfsv4etch.engr.uconn.edu at AD.ENGR.UCONN.EDU
>
> Does that look like it's generated properly?
>
> Rohit
>
> Russ Allbery wrote:
>> Rohit Kumar Mehta <rohitm at engr.uconn.edu> writes:
>>
>>
>>>I tried that command and it seems to work:
>>
>>
>>>nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu
>>> rohitm at AD.ENGR.UCONN.EDU
>>>Password for rohitm at AD.ENGR.UCONN.EDU:
>>>nfsv4etch:~# klist
>>>Ticket cache: FILE:/tmp/krb5cc_0
>>>Default principal: rohitm at AD.ENGR.UCONN.EDU
>>
>>
>>>Valid starting     Expires            Service principal
>>>10/10/06 17:19:07  10/11/06 03:19:12
>>>host/nfsv4etch.engr.uconn.edu at AD.ENGR.UCONN.EDU
>>>        renew until 10/11/06 17:19:07
>>
>>
>>
>>>Kerberos 4 ticket cache: /tmp/tkt0
>>>klist: You have no tickets cached
>>

Here are some other places where I have discussed this topic:

http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
http://www.winlinanswers.com/community/viewtopic.php?t=37
http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
keytab files used with secure connections.  You can get a fix from MS. 
You can find the link to MS article which discusses the bug from the links
above.

Although I have a "working" solution, which can be found from the above
articles, I would like hear what your final configuration looks like. 
There are still several things I do not like with my configuration and
would like to improve on the configuration so that it is more then just
functional.

Thanks.

More information about the Kerberos mailing list