help with Active Directory Kerberos authentication

Rohit Kumar Mehta rohitm at
Tue Oct 17 11:38:43 EDT 2006

Scott Ruckh wrote:

> Here are some other places where I have discussed this topic:
> Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
> keytab files used with secure connections.  You can get a fix from MS. 
> You can find the link to MS article which discusses the bug from the links
> above.
> Although I have a "working" solution, which can be found from the above
> articles, I would like hear what your final configuration looks like. 
> There are still several things I do not like with my configuration and
> would like to improve on the configuration so that it is more then just
> functional.
> Thanks.

Hi thanks Scott, I had actually used one of the howto's you mentioned:

However I am not doing anything with SFU, we have an NIS server (All the 
accounts are in both NIS and AD).

I do not think we have a problem with ktpass.  (was this the hotfix you 
were referring to?
On a whim, I installed Fedora Core 5 on a virtual machine, and redid 
everything, using the ktpass command described in your first howto:
"ktpass -princ host/ at AD.ENGR.UCONN.EDU -mapuser 
ENGR_STUDENT\fc5 -crypto DES-CBC-MD5 -pass mypassword -ptype 
KRB5_NT_PRINCIPAL -out keytab.fc5 "

After installing this keytab file (and authconfig) kerberized telnet 

After kinit'ing I can do a "telnet -k AD.ENGR.UCONN.EDU -l rohitm" and it lets me log in.  I do not have to type my 
password a second time.

GSSAPI authentication still does not work with SSH, and I have no idea
why kerberized telnet does not seem to work in 
Debian(etch)/Ubuntu(dapper) and GSSAPI ssh authentication does not seem 
to work for me on any distro.

More information about the Kerberos mailing list