Interesting problem with OpenSSH v3.9p1, MIT Kerberos authenticating against Active Direct...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I seem to have run into a road block getting my Linux machines to
authenticate against AD when coming in through OpenSSH.

First, let me start off my listing what my environmnet is:

Test Client:
* RHEL Linux
* MIT Kerboros v1.4
* OpenSSH v3.9p1 - Compiled using the following line:
./configure --with-tcp-wrappers --with-pam
--with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr

Active Directory:
* Windows 2003

Scenario 1:

If I use my local account and password, I can get into the machine OK.
I know that OpenSSH is functioning properly.  At this point, if I do a
'kinit' I can successfully authenticate myself against AD and obtain my
Keberos5 ticket.

Scenario 2:

If I change my account information to require that authentication take
place using Kerberos, then I get the following error from the ssh daemon:

debug1: Kerberos password authentication failed: ASN.1 encoding ended

-- What I have been able to determine at this point is that if I remove
my userid from the multitude of groups that it belongs to in AD, then I
*can* successfully authenticate myself when I come in through OpenSSH,
using Kerberos.

-- If I place myself back into the same groups, I cannot authenticate
myself and get the above error.

In doing some reading, it appears as if I need to force TCP usage in the
MIT Kerberos, which I have done.  Everything still works when I do
'kinit' but nothing has changed in regards to OpenSSH authentication

Anyone have any thoughts or suggestions?


Site Timeline