Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-14-2012, 06:54 AM   #1
LQ Newbie
Registered: Jun 2011
Posts: 8

Rep: Reputation: Disabled
Question Kerberos displays username in cleartext while logging to Active Directory, is it ok?

I'm working on a Linux integration project into Active Directory for our business organization. The Linux clients are RHEL 5/6 and the AD is running MS Windows 2008. Among multiple options, I'm ok with the Winbind/Kerberos option. I've set up the my lab environment and now the Linux systems can authenticate AD users. Before exporting the solution to the production environment, I wanted to have a look on the authentication traffic when I've noticed that every time a client initiates a authentication request to the AD, the username is transmitted in clear text within the Kerberos AS-REQ packet. Is it normal behavior of the Kerberos protocol or should I expect that the username be also encrypted?

Last edited by patmut; 11-14-2012 at 06:55 AM.
Old 11-14-2012, 06:58 AM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
Well, that's the standard in the Kerberos RFC.

(I would generally suggest that pure LDAP is a nicer simpler approach to Linux / AD integration than winbind etc., and over TLS the whole lot would always be included)
Old 12-03-2012, 09:42 AM   #3
Senior Member
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,720

Rep: Reputation: 1282Reputation: 1282Reputation: 1282Reputation: 1282Reputation: 1282Reputation: 1282Reputation: 1282Reputation: 1282Reputation: 1282
It's part of the protocol. As I recall, the principle is also inside the encrypted portion, and the two must match or the AS-REQ is rejected.


active directory, authentication, encryption, kerberos

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos and Active Directory Integration jonofmac Red Hat 4 07-19-2012 11:16 PM
Username & Password Sync Fedora Directory and Microsoft Active Directory karnac01 Fedora 4 07-19-2010 12:51 AM
Kerberos -> Active Directory Authentication Ogrius Red Hat 0 04-05-2006 02:26 PM
Active Directory Kerberos macusr Linux - Networking 5 03-24-2006 03:36 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 09:56 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:15 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration