Authenticating debian users against AD

jarek jarek at
Thu Jul 30 07:40:43 EDT 2009

Hi all!

I've configured Debian with pam_krb5, and I can login using username and 
password to sshd. I've tried to use also ticket login, and I have 
problem with it. As I understand I need for this keytab file. But 
whenever I put krb5.keytab into /etc I can't login at all (even with 
password). auth.log says:

(pam_krb5): none: pam_sm_authenticate: entry (0x1)
(pam_krb5): apache: attempting authentication as apache at TEST.LOCAL
(pam_krb5): apache: credential verification failed: Server not found in 
Kerberos database
(pam_krb5): apache: pam_sm_authenticate: exit (failure)
pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=  user=apache

I've created keytab for apache, which is used by 
libapache2-mod-auth-kerb and it works - I can login with kerberos ticket.

The keytab was created on W2008 server with the following command:

ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL 
-mapuser host-test-nms at TEST.LOCAL -mapOp set -pass <secret> -crypto 

By the way, can someone tell me what for is this password in ktpass 
command ?

Best regards

More information about the Kerberos mailing list