As I have seen in the past people asking about how to create a keytab with a
Computer account I put some details together:
1) The ktpass version I used is from Windows2003 R2 File Version:
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
2) I only create RC4 keytabs as now MIT and Heimdal support it.
3) Firstly I create a Computer Account e.g. testPRINCIPAL in AD with the
User and Computer tool.
4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
[EMAIL PROTECTED] /princ TESTSPN/[EMAIL PROTECTED] /crypto
RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/FQDN to TESTPRINCIPAL$.
WARNING: Account TESTPRINCIPAL$ is not a user account (uacflags=0x1021).
WARNING: Resetting TESTPRINCIPAL$'s password may cause authentication
problems if TESTPRINCIPAL$ is being used as a server.
Reset TESTPRINCIPAL$'s password [y/n]? y
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to testPrincipal.keytab:
Keytab version: 0x502
keysize 64 TESTSPN/[EMAIL PROTECTED] ptype 1 (KRB5_NT_PRINCIPAL) vno 3
etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)
4) I tested the keytab with kfw 3.0
c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
TESTSPN/[EMAIL PROTECTED]
c:\Program Files\MIT\Kerberos\bin\klist.exe -e
Ticket cache: API:krb5cc
Default principal: TESTSPN/[EMAIL PROTECTED]
Valid starting Expires Service principal
05/06/06 15:22:05 05/07/06 01:22:05
krbtgt/[EMAIL PROTECTED]
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
5) Remark: If ptype is KRB5_NT_SRV_HOST the principal name has to have a
dot in the fqdn !!!!
ktpass /out testComputer.keytab /mapuser [EMAIL PROTECTED]
/princ TESTSPN/[EMAIL PROTECTED] /crypto RC4-HMAC-NT /rndpass /ptype
KRB5_NT_SRV_HST
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/FQDN to TESTCOMPUTER$.
WARNING: Account TESTCOMPUTER$ is not a user account (uacflags=0x1021).
WARNING: Resetting TESTCOMPUTER$'s password may cause authentication
problems if
TESTCOMPUTER$ is being used as a server.
Reset TESTCOMPUTER$'s password [y/n]? y
Invalid SPN.
Failed to create key for keytab. Quitting.
Now with a dot
ktpass /out testComputer.keytab /mapuser [EMAIL PROTECTED]
/princ TESTSPN/[EMAIL PROTECTED] /crypto RC4-HMAC-NT /rndpass /ptype
KRB5_NT_SRV_HST
Targeting domain controller: w2k3.windows2003.home
Using legacy password setting method
Successfully mapped TESTSPN/FQDN.COM to TESTCOMPUTER$.
WARNING: Account TESTCOMPUTER$ is not a user account (uacflags=0x1021).
WARNING: Resetting TESTCOMPUTER$'s password may cause authentication
problems if
TESTCOMPUTER$ is being used as a server.
Reset TESTCOMPUTER$'s password [y/n]? y
Key created.
Output keytab to testComputer.keytab:
Keytab version: 0x502
keysize 68 TESTSPN/[EMAIL PROTECTED] ptype 3 (KRB5_NT_SRV_HST) vno
14 etype 0x17 (RC4-HMAC) keylength 16 (0xd0fc81746c2bed1da5d505b491634ce5)
c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testComputer.keytab
TESTSPN/[EMAIL PROTECTED]
c:\Program Files\MIT\Kerberos\bin\klist.exe -e
Ticket cache: API:krb5cc
Default principal: TESTSPN/[EMAIL PROTECTED]
Valid starting Expires Service principal
05/06/06 15:31:32 05/07/06 01:31:32
krbtgt/[EMAIL PROTECTED]
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
Regards
Markus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
