Javier, Thankyou. I have a related question for your : In order to use a user account which is then used to run ktpass against I need to first create the user account (e.g. [EMAIL PROTECTED]). When I use ktpass I specify the name of this account using the -mapuser parameter. With the above in consideration, surely it is possible to use kinit, or windows logon, or some other authentication method to logon as [EMAIL PROTECTED] and cause this account to get locked when password attempt is wrong > x times ? If I understand it correctly the principal name given when ktpass is run is used as an alias, but the account in AD can still be accessed using the [EMAIL PROTECTED] format ? I look forward to your feedback. Regards, Tim
________________________________ From: jpbermejo [mailto:[EMAIL PROTECTED] Sent: Fri 06/05/2005 09:34 To: Markus Moeller; Tim Alsop Cc: [email protected] Subject: Re: Denial of service when using Active Directory for KDC ? On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote: > Tim, > in our setup we use computer accounts instead of user accounts, and don't > have experienced this issue. I think the latest ktpass can do this with > mapuser having a $ at the end. I don't know about computer accounts, but this DoS is not possible if you are using service principals. Active Directory doesn't allow login for service principals, and keytab are only useful to decrypt tickets. Making an ldap query to AD, you can get things like dNSHostName: sist03lnx.domain.com userPrincipalName: HOST/[EMAIL PROTECTED] servicePrincipalName: HTTP/sist03lnx.domain.com servicePrincipalName: HTTP/sist03lnx In this case, only HOST/sist03lnx keytab works with `kinit -k`. If you attempt to get a TGT with the other principals, you get nothing. Javier Palacios <DIV><FONT size="1"> ============================================================================ This e-mail message and any attached files are intended SOLELY for the addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not necessarily represent the opinion of this company. If you receive this message in ERROR, please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use, disclose, distribute, print or copy all or part of the contained information. Thank you. ============================================================================ </FONT></DIV> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
