Poptop MSCHAP2 ADS Howto

10. Kerberos

There are two different versions of the Kerberos client, version 4 from KTH and 5 from MIT. As Microsoft uses version 5, you should use the MIT version. Fedora includes the MIT one so you will be ok to use the stock standard one.

Packages krb5-lib and krb5-workstation are required. They are installed by default. If they are not, please get the latest version from yum.

10.1 Configure Kerberos

The configuration file of Kerberos is /etc/krb5.conf. To connect to AD, the settings must match the domain configuration.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLENET.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLENET.ORG = {
kdc = dc1.examplenet.org:88
# admin_server = kerberos.example.com:749
default_domain = examplenet.org
}

[domain_realm]
.examplenet.org = EXAMPLENET.ORG
examplenet.org = EXAMPLENET.ORG

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Lines shown in bold are the ones you should pay attention to. Use uppercase as shown.

10.2 Test Kerberos

Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A record, on your Windows DNS server, click Start -> Administrative Tools -> DNS. The dnsmgmt window pops up. Click on the "+" of "Forward Lookup Zones". Right click on AD Domain name, in our test environment is EXAMPLENET.ORG, and choose "New Host (A)...". Put in the server Netbios name which is defined in smb.conf and the ip address. Then press the "Add Host" button.

When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital.

[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG
Password for skwok@EXAMPLENET.ORG: 
Authenticated to Kerberos v5

To check the Kerberos tickets:

[root@pptp etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: skwok@EXAMPLENET.ORG

Valid starting     Expires            Service principal
09/03/05 14:43:47  09/04/05 00:43:04  krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG
        renew until 09/04/05 14:43:47

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Next Previous Content