Configuring Fedora Core 3



  1. Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability (
  2. Red Hat Enterprise Linux 4: Reference Guide. Chapter 19. Kerberos (



Prerequisite: time synchronization. Configure your Windows DC to enable LocalNTP in Windows Time Service (registry). Configure the client to use the DC as the NTP server. Synchronise time.

Create a DNS entry for the Linux host – “”.


Follow the instruction from the Red Hat Admin reference

RPM packages: krb5-libs, krb5-workstation


Create the keytab. On the Windows DC (this is from Microsoft Kerberos step by step):


Create a user account for the Linux Kerberos client: “lx1”/”lx1”

Install Windows 2000/2003 Support Tools. From the command line, run:



c:\Program Files\Support Tools>ktpass -princ host/ -mapuser lx1 -pass lx1 -out c:\temp\lx1.keytab



The output:


Successfully mapped host/ to lx1.

Key created.

Output keytab to c:\temp\lx1.keytab:


Keytab version: 0x502

keysize 69 host/ ptype 1 (KRB5_NT_PRINCIPAL

) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8 (0x34effe75d6e616bc)

Account has been set for DES-only encryption.


Now move the lx1.keytab to the Linux host as /etc/krb5.keytab



In Linux, there’s a way to use “wizard” to configure Kerberos client. From the shell prompt, type setup

Select Authentication configuration, Run Tool

Check Use Kerberos under  Authentication, Next


Kerberos Settings




Admin Server: /blank/

[*] Use DNS to resolve hosts to realms

[ ] Use DNS to locate KDCs




Review /etc/krb5.conf to include the information about the realm. Make sure you make no typos, and put the full and correct principal name in the ktpass command line, to avoid frustration troubleshooting the setup.


Verify Kerberos functionality. On the Linux console:


[root@lx1 ~]# kinit host/

Password for host/


Put the password (as created earlier). No error message is success – a TGT is received.  Further verification:


[root@lx1 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: host/


Valid starting     Expires            Service principal

04/04/05 10:13:46  04/04/05 20:14:04  krbtgt/

        renew until 04/05/05 10:13:46



Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached


[root@lx1 ~]# kinit AD_user_name

- this will return error if you put wrong password and will not if you don't.


To see communication b/ween the Linux host and the KDC, use tethereal –f “host That may be required for troubleshooting.


The system is ready to grant Kerberos tickets and authenticate interactive users with Kerberos if the PAM is enabled.


Configuring Apache



  1. Providing Active Directory authentication via Kerberos protocol in Apache (
  2. Kerberos Module for Apache (


Prerequisite RPMs: Kerberos subsystem (as above), mod_auth_kerb


Loading the Kerberos authentication module (together with a virtual directory configuration example) is specified in /etc/httpd/conf.d/auth_kerb.conf


Create keytab for mod_auth_kerb. On the KDC:


c:\Program Files\Support Tools>ktpass -princ HTTP/ -mapuser lx1 -pass lx1 -out c:\temp\lx1http.keytab

Successfully mapped HTTP/ to lx1.

Key created.

Output keytab to c:\temp\lx1http.keytab:


Keytab version: 0x502

keysize 69 HTTP/ ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8 (0x7f0b01ad4940f876)

Account has been set for DES-only encryption.


Transfer lx1http to lx1:/etc/, rename to mod_auth_kerb.keytab


Make sure the file is readable by anybody (who actually reads the file?)


[root@lx1 conf]# chmod 644 /etc/mod_auth_kerb.keytab


Configure Apache document root. Create /var/www/html/index.html. Specify the following directory configuration:


<Directory />

    Options FollowSymLinks

    AllowOverride None


AuthType Kerberos

AuthName "Kerberos Login"

KrbMethodNegotiate On

KrbMethodK5Passwd Off


Krb5KeyTab /etc/mod_auth_kerb.keytab

require valid-user




Leaving SSL out for now – change for production.


Troubleshooting HTTP error 500 see Apache error log (tail /etc/httpd/logs/error_log).




[Mon Apr 04 12:06:05 2005] [error] [client] gss_acquire_cred() failed: Miscellaneous failure (Unsupported key table format version number) – improper keytab (as in the Alex’s KB article)

[Mon Apr 04 12:34:47 2005] [error] [client] gss_acquire_cred() failed: Miscellaneous failure (Permission denied) – no read permission on the keytab


Note that this is authentication only - you must verify authorisations in the Web application code.


The configuration works for both password and smart card Windows users.