Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-23-2005, 03:49 PM   #1
Registered: Apr 2005
Location: SLC, Utah
Distribution: RHEL 4, RHEL 5
Posts: 59

Rep: Reputation: 16
cannot authenticate to AD after Kerberos client install

I would like to be able to authenticate to Active Directory from Linux, rather than use the local etc/passwd method. I have setup the client install for Kerberos on SuSE Linux 9.1 ES. I am able to bring up a command prompt and execute "kinit userid", and successfully authenticate to AD.

I did the standard install through Yast.
- I selected the Kerberos client install, and put in my domain, as well as my dns, as asked. My etc/security/pam_unix2.conf is as follows:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

This file gets modified from the 'Yast Install Kerberos client'.

After rebooting the linux server, I cannot enter an AD userid (I get "Login failed"). I also get the following log entries in /var/log/messages

pam_krb5: unable to determine uid/gid for user
pam_krb5: authentication fails for 'xxxxxx'
pam_krb5: pam_sm_authenticate returning 10 (User not known to the underlying authentication module)

I can only enter ids that exist in etc/local. Once logged in (using an etc/passwd id) I can then run kinit and authenticate to AD. Any ideas how to get my linux server to allow initial authentication to AD form the login prompt?

Thanks in advance,


Last edited by bret; 12-23-2005 at 03:59 PM.
Old 12-24-2005, 02:31 AM   #2
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
You could run winbind on your system. Kerberos only authenticates users and does not provide user information like uid, gid, home directory, login shell, etc. Information on winbind can be found on

You can also look up services for unix as this will allow you to add unix schema attributes into your active directory. This may not be desirable as the schema attributes cannot be removed once the schema is extended.

Old 01-10-2006, 12:45 AM   #3
LQ Newbie
Registered: Jun 2005
Location: South Africa
Distribution: SuSE 9.2
Posts: 6

Rep: Reputation: 0
Got the same issues as you Bret

Have you got this working by now? I can also use kinit fine but logging on is another story. Somehow authentication just doesn't go to the ADS server.


Old 01-10-2006, 02:19 AM   #4
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Wrong forum guys...this is a security forum ...a Samba forum should help yo much better but still ..Yeah winbindd needs to be running ...

This is all you need in your /etc/krb5.conf :-

[root@arvind Perl]# more /etc/krb5.conf
 default_realm = xxxxx.NET
 xxxxx.NET = {
  kdc =
  default_domain = xxxxx.NET
        .kerberos.server = xxxxx.NET
If kinit is working then you need to run net ads add ur machine into the domain so you can access other Windows machines.You need domain admin rights to do this.

p.s....Try and move your thread out of here into a different forum Youll get more help there...
Old 02-02-2006, 06:14 PM   #5
Registered: Apr 2005
Location: SLC, Utah
Distribution: RHEL 4, RHEL 5
Posts: 59

Original Poster
Rep: Reputation: 16
Thumbs up Now it works! Here's what I did.

How to setup SuSE Linux authentication to use Active Directory

1) From the linux desktop, start YaST
2) Select [Networking Services]
a. Select [Kerberos Client]
i. Select radio button [Use Kerberos]
ii. Basic Kerberos Settings
1. Default Domain: YOURDOMAIN.COM
2. Default Realm: YOURDOMAIN.COM
3. KDC Server Address:
4. CLICK [Finish]
(this dialog will modify /etc/krb5.conf)

3) From a command prompt
a. Kinit userid (where userid is your 5 digit network id)
You will be prompted for your password
eg. 12345@YOURDOMAIN.COMs Password:

your response will be:
kinit: NOTICE: ticket renewable lifetime is 1 week

4) Once you have verified the Kerberos client set-up is working, you will need to tie the linux login screen to Kerberos.
a. Edit the /etc/security/pam_unix2.conf file. Add the following lines:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

5) Add user manually to /etc/passwd (make sure you use a unique uid!!!!)

12345:x:1002:100:Joe Geeko:/home/12345:/bin/bash

6) Create users home directory

cp R /etc/skel /home/12345

7) Change ownership to new user

chown R 12345. /home/12345

8) you can now logout and login with your new Active Directory credentials.

note: the userids I use are numeric, and must be added manually to /etc/passwd. If you have userids that don't start with a numeric, you will be able to use YaST or useradd.

I did not need to install winbind or samba. I also didn't need to do a net ads join.

These instructions are simply designed to allow you to use your AD user id to authenticate to linux.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SBS2003 domain, Fedora C3 client, kerberos authentication issues Spida Linux - Networking 0 11-23-2005 11:07 PM
Kerberos Install Problem! mesh2005 Linux - Networking 2 11-10-2005 06:35 AM
Cannot Authenticate Via SSH Sivel Linux - Software 10 07-03-2005 11:13 AM
How to make Samba server authenticate Linux client? Niceman2005 Linux - Networking 1 11-27-2004 03:35 PM
Samba 3.0.2, Kerberos, Linux (RHAS3.0), Win2kAD - linux smb server with a w2k client irishb3 Linux - Networking 2 07-20-2004 09:05 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:17 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration