Kerberos authentication in a dual-boot Linux/Windows environment

[Anthony Youd]

Hello,

In our department we have dual-boot Linux/Windows XP machines for which 
we are attempting to set up single sign-on Kerberos authentication to a 
central Windows 2003 Server Domain Controller.

When new machines are built, Windows XP is installed first.  Part of 
this process joins the machine to the domain, sets the machine account 
password (randomly) and creates host service principals in Active Directory.

Linux is then installed on the machine, and we set up MIT Kerberos.  We 
have successfully been able to perform Kerberos authentication to the 
Windows KDC from both the Windows and Linux installations.

Our difficulties start when we want to take advantage of the single 
sign-on features of Kerberos authentication and use host principals, for 
example, to allow SSH access from and to Linux machines (which may or 
may not be dual-boot) without having to provide a password.

What we need to do is extract the service principals from the Active 
Directory into the keytab file on the machine providing the service.

This would be very easy if the machines were booting Linux only, then we 
could use either the Windows ktpass command, or the Linux Samba net ads 
join command. Both of these options reset the machine account password, 
but in a single boot Linux scenario that would be OK.

However, in a dual-boot environment, if we use either ktpass or net ads 
join to extract the keytab to the Linux side, the Windows side cannot 
log on to the domain, because the machine account has been reset. 
Conversely, if we use net ads keytab create to create a new keytab 
(without first doing net ads join), then we get the error message 
"Decrypt integrity check failed" when trying to make an SSH connection 
from/to the Linux machines.

 From what I've read, this is because the encryption key in the keytab 
does not match the key in the Active Directory database.  Old tickets 
are always cleared out to ensure we avoid having tickets encrypted with 
the wrong encryption key, so that is not the problem in this case.

I can't see a way of extracting the keytab to the Linux side without
resetting the machine account password in AD, which then breaks the 
Windows side.  We would want to avoid having to explicitly set the 
password for every single machine.  I have read about using ktpass with 
the mapuser option to map a real user to host service principals, but my 
understanding is that a new user would have to be created for every host 
and every service, which is not feasible in our setup.

Any help or thoughts would be appreciated, and I can provide more 
detailed information if required.

Thanks,

Anthony.