Dealings with kerberos ...

Hello,
I am trying to connect an OpenSuse11 server to a MS 2003 Active Directory server with kerberos 5. The ultimate aim is to use authenticate postgres database users against the AD.

I have found some information that has got me started.

However, my first issue is that I am not getting any messages from kerberos in /var/log/messages.
[libdefaults]
default_realm = LAB2K.NET
dns_lookup_kdc = false;

[realms]
LAB2K.NET = {
kdc = labad2.lab2k.net
}
[domain_realm]
lab2k.NET = LAB2K.NET
lab2k.net = LAB2K.NET
.lab2k.net = LAB2K.NET
lab2k = LAB2K.NET
poe3b.lab2k.net = LAB2K.NET
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
kdc = SYSLOG:DEBUG:AUTH
admin_server = FILE:/var/log/krb5/kadmind.log
admin_server = SYSLOG:DEBUG:AUTH
default = SYSLOG:DEBUG:DAEMON

Our sys admins created a key tab file:
C:>ktpass -princ HTTP/poe3b.lab2k.net@lab2k.NET -mapuser poe3b -crypto DES-CBC-
MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass * -out c:\poe3b.keytab
Targeting domain controller: LABAD2.lab2k.net
WARNING: realm “lab2k.NET” has lowercase characters in it.
We only currently support realms in UPPERCASE.
assuming you mean “LAB2K.NET”…
Successfully mapped HTTP/poe3b.lab2k.net to poe3b.
Type the password for HTTP/poe3b.lab2k.net:
Type the password again to confirm:
Key created.
Output keytab to c:\poe3b.keytab:
Keytab version: 0x502
keysize 57 HTTP/poe3b.lab2k.net@LAB2K.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etyp
e 0x3 (DES-CBC-MD5) keylength 8 (0x0b7c7cda2679a708)
Account poe3b has been set for DES-only encryption.

It appears that the principal HTTP has been mapped to the user poe3b.

klist -k -t poe3b.keytab
Keytab name: FILE:poe3b.keytab
KVNO Timestamp Principal


1 12/31/69 19:00:00 HTTP/poe3b.lab2k.net@LAB2K.NET
kinit -k -t poe3b.keytab HTTP
kinit(v5): Client not found in Kerberos database while getting initial credentials
hostname -f
poe3b.lab2k.net
It seems that the use in the keytab file is not being recognized by AD - is this what the error messages mean?

However, if I go to a windows machine in that domain, I can find the user poe3b
(poe3b (HTTP/poe3b.lab2k.net@LAB2K.NET))

What am I missing? It seems that the pieces are there. Any thoughts much appreciated.

Thanks - Bryan.