Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 05-20-2010, 10:34 AM   #1
LQ Newbie
Registered: Jun 2009
Posts: 10

Rep: Reputation: 0
Troubleshooting openSUSE client authenticating to Windows 2003 AD server w/ Kerberos

I am trying to connect an OpenSuse11 server to a MS 2003 Active Directory server with kerberos 5. The ultimate aim is to authenticate postgres database users against the AD.

I have found some information that has got me started. I can authenticate with my user credentials interactively - however I can not use a key tab file from a service account.

My first issue though is that I am not getting any messages from kerberos in /var/log/messages.
default_realm = LAB2K.NET
dns_lookup_kdc = false;

kdc =
lab2k = LAB2K.NET = LAB2K.NET
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
admin_server = SYSLOG:DEBUG:AUTH

Our sys admins created a key tab file:
C:\>ktpass -princ HTTP/ -mapuser poe3b -crypto DES-CBC-
MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass * -out c:\poe3b.keytab
Targeting domain controller:
WARNING: realm "lab2k.NET" has lowercase characters in it.
We only currently support realms in UPPERCASE.
assuming you mean "LAB2K.NET"...
Successfully mapped HTTP/ to poe3b.
Type the password for HTTP/
Type the password again to confirm:
Key created.
Output keytab to c:\poe3b.keytab:
Keytab version: 0x502
keysize 57 HTTP/ ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etyp
e 0x3 (DES-CBC-MD5) keylength 8 (0x0b7c7cda2679a708)
Account poe3b has been set for DES-only encryption.

It appears that the principal HTTP has been mapped to the user poe3b.

klist -k -t poe3b.keytab
Keytab name: FILE:poe3b.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/31/69 19:00:00 HTTP/
kinit -k -t poe3b.keytab HTTP
kinit(v5): Client not found in Kerberos database while getting initial credentials
hostname -f

It seems that the use in the keytab file is not being recognized by AD - is this what the error messages mean? Is this an AD issue, or a linux issue?

However, if I go to a windows machine in that domain, I can find the user poe3b
(poe3b (HTTP/

What am I missing? It seems that the pieces are there. Any thoughts much appreciated.


Last edited by montyny; 05-24-2010 at 09:36 AM. Reason: change title


directory, kerberos

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Server 2003 Active Directory Account Lockout Troubleshooting zwinter Linux - General 4 08-20-2010 12:14 PM
Connect LINUX client to WINDOWS 2003 server linuxy2 Linux - Networking 8 07-29-2009 06:02 AM
Linux Authenticating against Windows 2003 Server: su error sbabcock23 Linux - Software 6 04-08-2009 03:26 PM
Problem authenticating OpenBSD to a Windows 2003 Server blood_omen *BSD 1 04-25-2006 03:40 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 04:56 AM

All times are GMT -5. The time now is 09:53 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration