Datasäkerhet och Informationssäkerhet

Robert Malmgren AB

“Trust is good, control is better.”

a blog about unixy stuff and so on


Using Active directory as a unix KDC - Quick start

The use of kerberos in unix environments is often neglected due to the imagined complexity of configuring such an environment. Bellow is a step by step guide on information how to integrate kerberos via active directory with unix to provide users with a secure single sign-on experience.

While most guides, some of them good, others lacking detail, try to explain too much about the protocol, this guide tries to be quick and easy to use, and tries to avoid too many details and instead focus on actions that needs to be done.

The first thing that needs to be done is to create a shared secret between the unix host and the KDC/AD. This is done by using the ktpass.exe utility, bundled with 2003 in the support tools directory. Note that ktpass.exe is updated regularly, and using a version below the one bundled with 2003 r2 is not recommended, as it lacks certain options.

Create a service account In the active directory manage users and computers, create a new account, name it something like "host-$hostname" Make sure that the password does not expire, nor that the user can change it's password. Btw, it is a good idea to apply a domain policy to this user so that it can not be used for logins.

Extract a keytab by using ktpass.exe

Copy the keytab securely to the destination host, save it as /etc/krb5.keytab (or /etc/krb5/krb5.keytab,) depending on where the system krb5.conf specifies the keytab.

configure krb5.conf, enable gssapi in sshd, restart it and try to login. Easy as pie!