Hi all, I am working on implementing kerberos on an embedded device. I am aiming at using "windows 2000 server as KDC" .
Please note that I had to add host names as users, generate seperate keytab files for each account and copy those on to the target. The problem is it requires as lot of manual stuffs to do. I am looking in to how to automate this procedure. I queried earlier regarding this and got replies which were of good help to me. I am trying to use the netjoin reference code given by Microsoft which is written by M Moeller. In earlier replies I got reply whose link is given below: http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/ 2b856ea605b5a64f/f12f4b8734a9d9cc?q=sandypossible&rnum=3#f12f4b8734a9d9cc The summary of the reply was create the account manually on the windows AD. Then use the kerberos APIs such as change_password() to extract the key. I am trying this approach and I am able to extract the key in to keytab file. Steps followed: 1) Created manually the host name "test" account under "users". Using the ktpass, mapped the host name "test" to the MIT kerberos format with out extracting the key to the keytab file.( This I did by following the reply from the kerberos group ). -> ktpass -princ host/[EMAIL PROTECTED] -mapuser test -pass passwd 2) Got the TGT for the Administrator of the domain on the target. and then used the set_password() function which extracta the key and stores in to the keytab file. After this I used "kinit -k host/test.kerberos.com" and got the TGT. My question is: 1) will this really verify that the password was changed successfully and I have the correct key extracted ? Are there any other methods to verify this ? 2) Is the mapping using ktpass tool really required as given in step 1 above ? Could you please explain ? 3) Will this approach work for windows 2003 server ? Regards. Sandy. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
