Dirk Pape wrote: > > Hello, > > In article <[EMAIL PROTECTED]>, > "Ryan Odgers" <[EMAIL PROTECTED]> wrote: > > > I have AD users corresponding to the services eg. telnet and ftp and have > > used ktpass to generate the following principals. > > telnet/[EMAIL PROTECTED] > > ftp/[EMAIL PROTECTED] > >
Usually the principal would be host/[EMAIL PROTECTED] The same principal is used by all the "login" type deamons that start user processes, or allow access to the local file systems as a user. You can look at the client code to see what it wants, or use a network trace. http://www.ethereal.com/ has a nice trace program that can format Kerberos packets, as the client requests a ticket for the service. > > I just get lost in how to get a ticket from windows to use that service. if > > i am on the unix machine and do a kinit with the service as above, I can > > authenticate and if I do a klist the ticket is listed. How do I make a > > kerberos aware client on windows to authenticate using these credentials? > > as far as I know and did, you have to look into the documentation of the > services (here ftp and telnet) to find out, what SPN they will look for > and where (in which keytab) they will look for it. There might be some > additional config parameters to force the service to use another keytab > or another SPN but that is not always the case. > > If you found out you have to create the keytab entry for this SPN in the > AD, map it to the service account user you created (ktpass ... /mapuser > ...), transfer it to the service host and merge it into the service's > keytab. > > If the unix service runs under a different user (e. g. ftp for the > ftp-service) you have to ensure that this user (and only this user) has > read access to the keytab which contains the key. > > Regards, > Dirk. > > -- > Dr. Dirk Pape (Leiter des Rechnerbetriebs) > FB Mathematik und Informatik der FU-Berlin > Takustr. 9, 14195 Berlin > Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190 > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
