help with Active Directory Kerberos authentication

Scott Ruckh sruckh at
Tue Oct 10 23:51:33 EDT 2006

This is what you said Rohit Kumar Mehta
> Thanks Russ, I think you might have found something.
> I did the command you suggested ssh -ddd 2>/tmp/err.txt
> and found an interesting message in the long file it created.
> 	debug1: Miscellaneous failure
> 	No principal in keytab matches desired name.
> My krb5.keytab looks like this:
> 	nfsv4etch:~# ktutil
> 	ktutil:  rkt /etc/krb5.keytab
> 	ktutil:  l
> 	slot KVNO Principal
> 	---- ----
> ---------------------------------------------------------------------
> 	1    4 host/ at AD.ENGR.UCONN.EDU
> Does that look like it's generated properly?
> Rohit
> Russ Allbery wrote:
>> Rohit Kumar Mehta <rohitm at> writes:
>>>I tried that command and it seems to work:
>>>nfsv4etch:~# kinit -S host/
>>> rohitm at AD.ENGR.UCONN.EDU
>>>Password for rohitm at AD.ENGR.UCONN.EDU:
>>>nfsv4etch:~# klist
>>>Ticket cache: FILE:/tmp/krb5cc_0
>>>Default principal: rohitm at AD.ENGR.UCONN.EDU
>>>Valid starting     Expires            Service principal
>>>10/10/06 17:19:07  10/11/06 03:19:12
>>>host/ at AD.ENGR.UCONN.EDU
>>>        renew until 10/11/06 17:19:07
>>>Kerberos 4 ticket cache: /tmp/tkt0
>>>klist: You have no tickets cached

Here are some other places where I have discussed this topic:

Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
keytab files used with secure connections.  You can get a fix from MS. 
You can find the link to MS article which discusses the bug from the links

Although I have a "working" solution, which can be found from the above
articles, I would like hear what your final configuration looks like. 
There are still several things I do not like with my configuration and
would like to improve on the configuration so that it is more then just


More information about the Kerberos mailing list