So just looking at the ticket, I can get the following seemingly relevant
information. I'm requesting a tgt for a principle [email protected]
. krbtgt/[email protected] is my KDC in Ldap.
TgTicket serverTgt = conn.getTgt(sshPrincipal, PASSWORD);
LOG.debug("Client name: {}", serverTgt.getClientName());
LOG.debug("Key version: {}",
serverTgt.getEncKdcRepPart().getKey().getKeyVersion());
LOG.debug("Key type: {}",
serverTgt.getEncKdcRepPart().getKey().getKeyType());
LOG.debug("Server name: {}", serverTgt.getServerName());
LOG.debug("Ticket Vno: {}", serverTgt.getTicket().getTktVno());
LOG.debug("Protocol Vno: {}",
serverTgt.getTicket().getProtocolVersionNumber());
LOG.debug("Server Name: {}", serverTgt.getTicket().getSName());
LOG.debug("Server Name Value Type: {}",
serverTgt.getTicket().getSName().getNameType().getValue());
LOG.debug("Server Name String: {}",
serverTgt.getTicket().getSName().getNameString());
Client name: client
Key version: 0
Key type: des-cbc-md5 (3)
Server name: krbtgt/EXAMPLE.COM
Ticket Vno: 5
Protocol Vno: 5
Server Name: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
EXAMPLE.COM'> }
Server Name Value Type: 2
Server Name String: krbtgt/EXAMPLE.COM
For my keytab entry i need:
new KeytabEntry(String princNam, long PrincType, KerberosTime timeStamp,
byte keyverion, EncryptionKey key);
I'm guessing that creating a keytab entry for [email protected] would be
done by passing in:
new KeytabEntry("[email protected]", X, Y, (byte) 0, Z);
where:
*X = PrincType? Is there some constant defined somewhere?*
Y = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"
));
Z = encryption key from TgTicket.getEncKdcRepPart()
Does that sound correct? Could i then use that keytab to authenticate
[email protected]?
Josh
On Thu, Apr 24, 2014 at 11:45 AM, Kiran Ayyagari <[email protected]>wrote:
>
>
>
> On Thu, Apr 24, 2014 at 9:06 PM, Josh Clum <[email protected]> wrote:
>
>> What would be the key things I would need to get from the Tgt?
>>
>> all those that are needed to build a keytab ;)
> (let me know if you don't find a particular piece of data in TgTicket)
>
>>
>> On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <[email protected]>wrote:
>>
>>>
>>>
>>>
>>> On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <[email protected]> wrote:
>>>
>>>> I was wondering if there was a way to generate my own keytab in java
>>>> without going to the kdc? I found code similar to this in an ApachDS test:
>>>>
>>>> Keytab keytab = Keytab.getInstance();
>>>> KerberosTime timeStamp = new
>>>> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
>>>>
>>>> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
>>>> .getKerberosKeys(principalName, userPassword);
>>>>
>>>>
>>>>
>>>> KeytabEntry keytabEntry = new KeytabEntry(
>>>> principalName,
>>>> 1L,
>>>> timeStamp,
>>>> (byte) 0,
>>>> keys.get(EncryptionType.DES_CBC_MD5));
>>>>
>>>> List<KeytabEntry> entry = Arrays.asList(keytabEntry);
>>>>
>>>> keytab.setEntries(entry);
>>>>
>>>> keytab.write(keytabFile);
>>>>
>>>> return keytabFile;
>>>>
>>>> I'm able to a klist on a keytab that i create:
>>>>
>>>> Vno Type Principal Date Aliases
>>>>
>>>> 0 des-cbc-md5 ssh/[email protected] 2007-02-17
>>>>
>>>>
>>>> Also, if this is not possible, is there a way to programmatically get a
>>>> keytab using ApacheDS or any other java library?
>>>>
>>>> one way to do this is to use KdcConnection to obtain a TgTicket and
>>> create KeyTab from the details of TgTicket
>>>
>>>
>>>
>>> --
>>> Kiran Ayyagari
>>> http://keydap.com
>>>
>>
>>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
