Authenticating debian users against AD
Javier Palacios
javiplx at gmail.com
Sat Aug 8 05:51:12 EDT 2009
Personally, I got many problems while using ktpass to create a keytab.
You could try to use samba in AD mode, or CSS adkadmin.
Javier Palacios
On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert<deengert at anl.gov> wrote:
>
>
> jarek wrote:
>> Hi all!
>>
>> I've configured Debian with pam_krb5, and I can login using username and
>> password to sshd. I've tried to use also ticket login, and I have
>> problem with it. As I understand I need for this keytab file. But
>> whenever I put krb5.keytab into /etc I can't login at all (even with
>> password). auth.log says:
>>
>> (pam_krb5): none: pam_sm_authenticate: entry (0x1)
>> (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL
>> (pam_krb5): apache: credential verification failed: Server not found in
>> Kerberos database
>> (pam_krb5): apache: pam_sm_authenticate: exit (failure)
>> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0
>> tty=ssh ruser= rhost=192.168.1.181 user=apache
>>
>> I've created keytab for apache, which is used by
>> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket.
>>
>> The keytab was created on W2008 server with the following command:
>>
>> ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL
>> -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass <secret> -crypto
>> DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
>
>
> I don't thing you are understanding what the ktpass is doing.
> You need a user or computer account in AD that will have a password,
> and (usually only one) servicePrincipalName. The -mapuser is the name
> of this account.
>
>>
>> By the way, can someone tell me what for is this password in ktpass
>> command ?
>
> The -pass option is used to change the password stored in the account,
> and to create the key in the keytab file. So you must be an AD admin
> to run this (Unlike most KDCS which store the key, AD generates the key
> on the fly from the stored password when a service ticket is created.) The
> password in AD and the key in the keytab must be kept in sync. The kvno
> in the keytab and the msDS-keyVersionNumber in the account must also match.
>
> If you are going to be adding a lot of hosts to AD, have a look at the
> msktutil package. A debian version is available that works with W2008
> and can generate AES keys too. msktutil-0.3.16-7
>
> http://download.systemimager.org/~finley/msktutil/
>
>>
>> Best regards
>> J.
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list