Kerberos authentication; krb5.keytab significance.

Chavez, James R. james.chavez at
Tue Jul 29 12:06:54 EDT 2008


I am attempting to setup Linux(Redhat) to use Kerberos authentication
via Active Directory. 
I have configured my /etc/krb5.conf with the appropriate REALM and KDC
I am able to kinit and receive a krb5 ticket. 
Also I have joined the box to the Active directory domain using Samba
and the net adds join command.
I can authenticate using Winbind but would rather use kerberos. However
I get errors in the messages log such as..

 sshd[4996]: pam_krb5[4996]: account checks fail for 'Domain\user': user
is unknown or account expired.
sshd[4996]: pam_krb5[4996]: authentication fails for 'Domain\user'
(Domainusername at REALM): User not known to the underlying authentication
module (Client not found in Kerberos database).

When logging in I am prepending the domain name for example..
DOMAIN\username. That results in the above message.
I also tried username at REALM and that leaves no mention of krb5 in the
message log rather it shows.

sshd[4273]: input_userauth_request: invalid user user at REALM
Jul 29 08:51:55 phx1amwk169925 sshd[4272]: pam_unix(sshd:auth): check
pass; user unknown
Jul 29 08:51:55 phx1amwk169925 sshd[4272]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
Jul 29 08:51:55 phx1amwk169925 sshd[4272]: pam_succeed_if(sshd:auth):
error retrieving information about user user at REALM
Jul 29 08:51:58 phx1amwk169925 sshd[4272]: Failed password for invalid
user user at REALM from port 39913 ssh2.

While I was doing some reading last night I found that joining Active
Directory using net ads join does not create a /etc/krb5.keytab file. I
have a feeling this may be part of the issue? I do not have a
krb5.keytabfile on the box.

Also the account for the box exists in Active Directory users and
computers and I can retrieve the info on it by using the css_adkadmin
get_account command. Can I somehow pull a keytab file from Active
Directory from this existing computer account? I am not quite sure of
the contents of the keytab file. Is it possible to manually create and
populate krb5.keytab? 

While I wait for a response I will do some more reading.

Thank You

This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

More information about the Kerberos mailing list