Kerberos authentication in a dual-boot Linux/Windows environment
a.j.youd at ncl.ac.uk
Tue Apr 1 07:54:42 EDT 2008
In our department we have dual-boot Linux/Windows XP machines for which
we are attempting to set up single sign-on Kerberos authentication to a
central Windows 2003 Server Domain Controller.
When new machines are built, Windows XP is installed first. Part of
this process joins the machine to the domain, sets the machine account
password (randomly) and creates host service principals in Active Directory.
Linux is then installed on the machine, and we set up MIT Kerberos. We
have successfully been able to perform Kerberos authentication to the
Windows KDC from both the Windows and Linux installations.
Our difficulties start when we want to take advantage of the single
sign-on features of Kerberos authentication and use host principals, for
example, to allow SSH access from and to Linux machines (which may or
may not be dual-boot) without having to provide a password.
What we need to do is extract the service principals from the Active
Directory into the keytab file on the machine providing the service.
This would be very easy if the machines were booting Linux only, then we
could use either the Windows ktpass command, or the Linux Samba net ads
join command. Both of these options reset the machine account password,
but in a single boot Linux scenario that would be OK.
However, in a dual-boot environment, if we use either ktpass or net ads
join to extract the keytab to the Linux side, the Windows side cannot
log on to the domain, because the machine account has been reset.
Conversely, if we use net ads keytab create to create a new keytab
(without first doing net ads join), then we get the error message
"Decrypt integrity check failed" when trying to make an SSH connection
from/to the Linux machines.
From what I've read, this is because the encryption key in the keytab
does not match the key in the Active Directory database. Old tickets
are always cleared out to ensure we avoid having tickets encrypted with
the wrong encryption key, so that is not the problem in this case.
I can't see a way of extracting the keytab to the Linux side without
resetting the machine account password in AD, which then breaks the
Windows side. We would want to avoid having to explicitly set the
password for every single machine. I have read about using ktpass with
the mapuser option to map a real user to host service principals, but my
understanding is that a new user would have to be created for every host
and every service, which is not feasible in our setup.
Any help or thoughts would be appreciated, and I can provide more
detailed information if required.
More information about the Kerberos