You need AT LEAST version 1.3.1 to communicate properly with W2K3.

Leave the version installed on the machine. Get the newest version from MIT (v1.3.5) I think. Extract it both times (the tar pkg it with signatures). cd into krb5-<version>/src/ directory and do this configure line.

./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \\\n--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \\\n--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec \\\n--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man \\\n--infodir=/usr/share/info CC=gcc CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 \\\n-I/usr/include/et -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \\\n--enable-static --bindir=/usr/kerberos/bin --mandir=/usr/kerberos/man \\\n--sbindir=/usr/kerberos/sbin --datadir=/usr/kerberos/share \\\n--localstatedir=/var/kerberos --with-krb4 --with-system-et --with-system-ss \\\n--without-tcl --enable-dns

then do the make ; su -c "make test" ; su -c "make install"

To see if it worked, try a kinit ads-user@DOMAIN.COM if your stuff is set properly... it should.

Then you should be able to auth against the krb5 ticket issuer (being ADS).

One other thing ADS only supports 2 types of tickets. Here is the pertinent pieces you need to make sure are right in /etc/krb5.conf:

[logging]\n     default = FILE:/var/log/krb5libs.log\n     kdc = FILE:/var/log/krb5kdc.log\n     admin_server = FILE:/var/log/kadmind.log\n\n[libdefaults]\n     ticket_lifetime = 24000\n     default_realm = DOMAIN.COM\n     default_tkt_enctypes = des-cbc-md5 des-cbc-crc\n     default_tgs_enctypes = des-cbc-md5 des-cbc-crc\n     kdc_timesync = 1\n     dns_lookup_realm = true\n     dns_lookup_kdc = true\n     forward = true\n     forwardable = true\n     proxiable = true\n     autologin = true\n     encrypt = true\n\n\n[realms]\n     DOMAIN.COM = {\n     kdc = mydc1.domain.com:88\n     admin_server = mydc1.domain.com:749\n     default_domain = domain.com\n     }