help with Active Directory Kerberos authentication
Rohit Kumar Mehta
rohitm at engr.uconn.edu
Tue Oct 17 11:38:43 EDT 2006
Scott Ruckh wrote:
> Here are some other places where I have discussed this topic:
>
> http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
> http://www.winlinanswers.com/community/viewtopic.php?t=37
> http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
> http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
>
> Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
> keytab files used with secure connections. You can get a fix from MS.
> You can find the link to MS article which discusses the bug from the links
> above.
>
> Although I have a "working" solution, which can be found from the above
> articles, I would like hear what your final configuration looks like.
> There are still several things I do not like with my configuration and
> would like to improve on the configuration so that it is more then just
> functional.
>
> Thanks.
>
Hi thanks Scott, I had actually used one of the howto's you mentioned:
http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
However I am not doing anything with SFU, we have an NIS server (All the
accounts are in both NIS and AD).
I do not think we have a problem with ktpass. (was this the hotfix you
were referring to? http://support.microsoft.com/kb/843071)
On a whim, I installed Fedora Core 5 on a virtual machine, and redid
everything, using the ktpass command described in your first howto:
"ktpass -princ host/fc5.engr.uconn.edu at AD.ENGR.UCONN.EDU -mapuser
ENGR_STUDENT\fc5 -crypto DES-CBC-MD5 -pass mypassword -ptype
KRB5_NT_PRINCIPAL -out keytab.fc5 "
After installing this keytab file (and authconfig) kerberized telnet
works!!!
After kinit'ing I can do a "telnet -k AD.ENGR.UCONN.EDU -l rohitm
fc5.engr.uconn.edu" and it lets me log in. I do not have to type my
password a second time.
GSSAPI authentication still does not work with SSH, and I have no idea
why kerberized telnet does not seem to work in
Debian(etch)/Ubuntu(dapper) and GSSAPI ssh authentication does not seem
to work for me on any distro.
More information about the Kerberos
mailing list