Javier, Thank you again. I understand that the use of computer accounts either with ktpass or via another tool (our longer term goal) is the best approach. I am exchanging emails with Markus to find out how to use ktpass (short term solution) for computer account creation. I am yet to try his latest suggestion. We will eventually build a netjoin based utility, which will run on each system instead of on the domain controller. This will be similar to the code you refer to from CSS or provided with Samba, but will be supported by us for our customers to use with our products. Regards, Tim
________________________________ From: jpbermejo [mailto:[EMAIL PROTECTED] Sent: Fri 06/05/2005 10:59 To: Tim Alsop Cc: Markus Moeller; [email protected] Subject: RE: Denial of service when using Active Directory for KDC ? On Fri, 2005-05-06 at 11:28 +0200, Tim Alsop wrote: > Javier, > > Thankyou. I have a related question for your : > > In order to use a user account which is then used to run ktpass > against I need to first create the user account (e.g. I did use that method many months ago, with a 2000 domain. Now, with a 2003 domain I've actually never tried ktpass seriously, and I use either samba or css_adkadmin. The first one forces node.domain.com into node$ as principal name, where the second allows HOST/node.domain.com. Both are standar computer accounts as any other windows machine. You can get a TGT (or any other tickets) for these principals using the proper keytab. > If I understand it correctly the principal name given when ktpass is > run is used as an alias, but the account in AD can still be accessed > using the [EMAIL PROTECTED] format ? As I don't use ktpass anymore, no alias or mapping to user accounts is performed. With both samba and adkadmin you can create service principals, and those are again pure windows service principals (as, for example LDAP/your.domain.controller). Those principals, at least on the unix side, are not allowed to acquire tickets (neither tgt nor service ones), so they cannot be 'denialed' anyway as the keytab is only used to decrypt tickets from other requesting principals. Javier Palacios <DIV><FONT size="1"> ============================================================================ This e-mail message and any attached files are intended SOLELY for the addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not necessarily represent the opinion of this company. If you receive this message in ERROR, please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use, disclose, distribute, print or copy all or part of the contained information. Thank you. ============================================================================ </FONT></DIV> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
