How to get service ticket

Monika Borikar monikaborikar at
Mon Nov 25 03:26:01 EST 2002


We have a problem integrating Windows 2000 KDC with Linux 7.2 via kerberos 
authentication. Here are the details of what we have done so far....

Windows 2000 side:

Windows 2000 is our KDC.
Trying to connect two linux systems as client to WIN2K KDC. The linux 
systems are oxymoron and kerberos-linux2
DNS is setup on Win2k and time is matching between linux and win2k systems
No modifications done to KDC server settings.
Used Active directory users and computers to create user accounts for users 
existing in linux system
Created user accounts for users existing in linux hostname in AD
Created separate user  accounts for telnet and rlogin services in AD

Linux side:

The installed rpms are:


The /etc/krb5.conf contents are
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

ticket_lifetime = 24000
default_realm = KERBEROSBLR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 10000
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

kinit = {
forwardable = true
telnet = {
forward = true
encrypt = true
autologin = true
rlogin = {
allow_fallback = false

kdc =
admin_server =
default_domain =


profile = /var/kerberos/krb5kdc/kdc.conf

debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true

Windows 2000 side:

Mapped computer using ktpass as:

ktpass -princ host/ at KERBEROSBLR.COM -mapuser 
oxymoron -pass * -out oxymoron.keytab
ktpass -princ host/ at KERBEROSBLR.COM -mapuser 
kerberos-linux2 -pass * -out kerberos-linux2.keytab

Securely transferred the keytab files to the respective linux hosts.

Linux side:

rkt oxymoron.keytab
wkt /etc/krb5.keytab

Did same for other linux system and service account(telnet and rlogin)

tested authentication using kinit -f for a user from linux system
klist -5 displays the following:

Ticket cache: FILE:/tmp/krb5cc_522
Default principal: monica at KERBEROSBLR.COM

Valid starting     Expires            Service principal
11/25/02 12:58:36  11/25/02 17:32:47  krbtgt/KERBEROSBLR.COM at KERBEROSBLR.COM

We are stuck at this point. We don't know how to obtain service tickets for 
rlogin and telnet.

we have tried the following:

telnet -xF localhost

the result looks like

Connected to kerberos-linux2 (
Escape character is '^]'.
Waiting for encryption to be negotiated...

Authentication negotation has failed, which is required for
encryption.  Good bye.

We have also tried rlogin

rlogin -x -F localhost

No error message displayed but service ticket is not displayed when klist -5 
is used. It still displays only krbtgt

Please help us step-by-step to know where we are wrong and how to obtain 
service ticket using kerberos authentication.

Thanks and regards,

The new MSN 8: advanced junk mail protection and 2 months FREE*

More information about the krbdev mailing list