Sandy, another possibility is the following. Create the account as before on AD with ktpass (without extracting the key into keytab) which could be automated with a fixed initial password. Then use the change_password function which exists in the MIT code to change the password, which gives you the key to store it in the keytab (with string_to_key). This isn't automated, but avoids the keytab copy.
Alos you should not use user accounts, but computer accounts for the following two reasons: 1) user accounts will be subject to domain password policies and you have usually a password expiry (e.g. 90 days) after which the keytab would stop working. Yes, you can set each account to never expire password, but this is extra overhead. 2) If you want it automated, you have the risk of uncontrolled user creation, which any good organised company has a problem with. Also you may want to use a sub OU under the Computer OU for your devices and give control over it to a different admin group. Regards Markus <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi all, > > I am using windows 2003 Domain controller as KDC and I am using linux > machines. The steps what I have followed to make these linux machines > to use windows 2003 server are as follows: > 1. Configured windows 2003 as domain controller, added the linux > machines as users. > 2. Generated keytab files using ktpass tool. > 3. Tested the gss server and gss client communication. It works fine. > > I notice that I had to add the linux mahines as users, generate > seperate keytab files for each account and copy those on to the linux > machines. The problem is it requires as lot of manual stuffs to do. I > am looking in to how to automate this procedure. Could you please > suggest how to go about it ? Could you please let me know if this is > the standard method of doing it as of now ? Are there any other methods > ? I am really aiming at automating this procedure as it will be > difficult to configure non windows systems which act as application > servers and if they are large in number. > > Could you please let me know your suggestions ? > > - Sandy. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
