Authenticating debian users against AD

Douglas E. Engert deengert at anl.gov
Mon Aug 10 09:39:19 EDT 2009 


Javier Palacios wrote:
> Personally, I got many problems while using ktpass to create a keytab.

We don't use it either, but msktutil instead. But Jarek was using ktpass
so my suggestion was to understand what is going on under the covers
and use ktpass correctly.

> 
> You could try to use samba in AD mode, or CSS adkadmin.
> 
> Javier Palacios
> 
> 
> On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert<deengert at anl.gov> wrote:
>>
>> jarek wrote:
>>> Hi all!
>>>
>>> I've configured Debian with pam_krb5, and I can login using username and
>>> password to sshd. I've tried to use also ticket login, and I have
>>> problem with it. As I understand I need for this keytab file. But
>>> whenever I put krb5.keytab into /etc I can't login at all (even with
>>> password). auth.log says:
>>>
>>> (pam_krb5): none: pam_sm_authenticate: entry (0x1)
>>> (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL
>>> (pam_krb5): apache: credential verification failed: Server not found in
>>> Kerberos database
>>> (pam_krb5): apache: pam_sm_authenticate: exit (failure)
>>> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=192.168.1.181  user=apache
>>>
>>> I've created keytab for apache, which is used by
>>> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket.
>>>
>>> The keytab was created on W2008 server with the following command:
>>>
>>> ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL
>>> -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass <secret> -crypto
>>> DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly
>>
>> I don't thing you are understanding what the ktpass is doing.
>> You need a user or computer account in AD that will have a password,
>> and (usually only one) servicePrincipalName.  The -mapuser is the name
>> of this account.
>>
>>> By the way, can someone tell me what for is this password in ktpass
>>> command ?
>> The -pass option is used to change the password stored in the account,
>> and to create the key in the keytab file. So you must be an AD admin
>> to run this (Unlike most KDCS which store the key, AD generates the key
>> on the fly from the stored password when a service ticket is created.) The
>> password in AD and the key in the keytab must be kept in sync. The kvno
>> in the keytab and the msDS-keyVersionNumber in the account must also match.
>>
>> If you are going to be adding a lot of hosts to AD, have a look at the
>> msktutil package. A debian version is available that works with W2008
>> and can generate AES keys too. msktutil-0.3.16-7
>>
>>  http://download.systemimager.org/~finley/msktutil/
>>
>>> Best regards
>>> J.
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> --
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list