[EMAIL PROTECTED] wrote: > Hi all, > > I am using windows 2003 Domain controller as KDC and I am using linux > machines. The steps what I have followed to make these linux machines > to use windows 2003 server are as follows: > 1. Configured windows 2003 as domain controller, added the linux > machines as users. > 2. Generated keytab files using ktpass tool. > 3. Tested the gss server and gss client communication. It works fine. > > I notice that I had to add the linux mahines as users, generate > seperate keytab files for each account and copy those on to the linux > machines. The problem is it requires as lot of manual stuffs to do. I > am looking in to how to automate this procedure. Could you please > suggest how to go about it ? Could you please let me know if this is > the standard method of doing it as of now ? Are there any other methods > ? I am really aiming at automating this procedure as it will be > difficult to configure non windows systems which act as application > servers and if they are large in number. > > Could you please let me know your suggestions ?
In addition to the samba approach, there is also the netjoin unix programs originally written by Micrsoft to add an account to AD, and update the keytab file. An updated version is also available, see: http://sourceforge.net/projects/netjoin This works with W2k3 and can use RC4-HMAC. I started looking at this last month, and it looks promising. It can work with sasl-2.1.21 and OpenLDAP-2.3.11 and krb5-1.4.1 at least. Has anyone else looked at this? There where 150 downloads, but little or no other activity on the sourceforge site. I have run into only minor problems: The ldap code will use the DNS SRV records to find a DC to bind to so it can add the account. Then the Kerberos change password protocol is used to change the password for the account. This uses the krb5.conf or the DNS SRV records to find the admin_server or a master kdc. If this does not use the same AD as the ldap, then the password may not be changed, as there is some propagation deley within AD between DCs of the new account. It looks like with a special krb5.conf and the -s option one could force the same DC to be used for both. It is setup to only add host service principals, but needs to be able to add others like cvs, pop, afs. > - Sandy. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
