Kerberos displays username in cleartext while logging to Active Directory, is it ok?
 

I'm working on a Linux integration project into Active Directory for our business organization. The Linux clients are RHEL 5/6 and the AD is running MS Windows 2008. Among multiple options, I'm ok with the Winbind/Kerberos option. I've set up the my lab environment and now the Linux systems can authenticate AD users. Before exporting the solution to the production environment, I wanted to have a look on the authentication traffic when I've noticed that every time a client initiates a authentication request to the AD, the username is transmitted in clear text within the Kerberos AS-REQ packet. Is it normal behavior of the Kerberos protocol or should I expect that the username be also encrypted?

Well, that's the standard in the Kerberos RFC.

(I would generally suggest that pure LDAP is a nicer simpler approach to Linux / AD integration than winbind etc., and over TLS the whole lot would always be included)

It's part of the protocol. As I recall, the principle is also inside the encrypted portion, and the two must match or the AS-REQ is rejected.