Ubuntu Kerberos and Active Directory
Russ Allbery
rra at stanford.edu
Fri Sep 8 18:53:46 EDT 2006
Rohit Kumar Mehta <rohitm at engr.uconn.edu> writes:
> What does not work, is logging in with my Active Directory password. So
> I enabled debugging in PAM, and noticed the following errors when I try
> to log in:
> Sep 8 17:25:44 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh
> rohitm): entry:
> Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: verify_krb_v5_tgt():
> krb5_sname_to_principal(): Cannot determine realm for host
> Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh
> rohitm): exit: failure
> Now my realm is set in the krb5.conf file (I just kinit username, and it
> knows my default realm), so do I have to do something else for pam to
> understand it?
It's attempting to verify the credentials against a host keytab and can't
find the Kerberos realm for the host. You can probably fix this by adding
an appropriate mapping to the [domain_realm] section of your krb5.conf.
> Also is the krb5.keytab file necessary? It looks like I have to run
> commands against as administrator on active directory to generate this
> file and if I don't have to do this, I'd rather not!
It's not necessary. The default behavior is to skip the check if you have
no krb5.keytab file or if it contains no usable keys. However, the
authentication will fail if it can't get even that far due to some other
more basic problem, such as not being able to figure out the realm of the
host.
This code is a bit better in the pam-krb5 that's in current Debian
unstable.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list