Authenticating debian users against AD

Douglas E. Engert deengert at
Thu Jul 30 10:34:06 EDT 2009

jarek wrote:
> Hi all!
> I've configured Debian with pam_krb5, and I can login using username and 
> password to sshd. I've tried to use also ticket login, and I have 
> problem with it. As I understand I need for this keytab file. But 
> whenever I put krb5.keytab into /etc I can't login at all (even with 
> password). auth.log says:
> (pam_krb5): none: pam_sm_authenticate: entry (0x1)
> (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL
> (pam_krb5): apache: credential verification failed: Server not found in 
> Kerberos database
> (pam_krb5): apache: pam_sm_authenticate: exit (failure)
> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 
> tty=ssh ruser= rhost=  user=apache
> I've created keytab for apache, which is used by 
> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket.
> The keytab was created on W2008 server with the following command:
> ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL 
> -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass <secret> -crypto 

I don't thing you are understanding what the ktpass is doing.
You need a user or computer account in AD that will have a password,
and (usually only one) servicePrincipalName.  The -mapuser is the name
of this account.

> By the way, can someone tell me what for is this password in ktpass 
> command ?

The -pass option is used to change the password stored in the account,
and to create the key in the keytab file. So you must be an AD admin
to run this (Unlike most KDCS which store the key, AD generates the key
on the fly from the stored password when a service ticket is created.) The
password in AD and the key in the keytab must be kept in sync. The kvno
in the keytab and the msDS-keyVersionNumber in the account must also match.

If you are going to be adding a lot of hosts to AD, have a look at the
msktutil package. A debian version is available that works with W2008
and can generate AES keys too. msktutil-0.3.16-7

> Best regards
> J.
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list