[EMAIL PROTECTED] wrote: > How can I list all the servers that I have mapped with the Ktpass > command? > > We are using Kerberos for SSO from our Middle Tier application that we > develop. To make this work I must map the middle Tier's servername > with an account in the domain. Here's a sample ktpass command that I > use to do this: > > ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser svruser - > pass svruserpwd
Each principal should have its own account, as the account has a single password that is used to generate the keys and keytab for all the servicePrincipalNames mapped to that account. ANd kerberos principals are normally FQDN, so it is not clear if the above -princ will work either. For the account name since the account name length < 19, and be unique in the forest, we use a convention of <service>-<shorthostname>-<div> where the principal is <service>/<shorthostname>.<div>[EMAIL PROTECTED] and if it too long, abbreviate the service name, like h for host. Rather the using ktpass we use msktutil (Google for it) It uses ldap and authenticates to AD, adds the account and SPNS, and creates keytabs. Samba has some tools too. > > I'm working in a development environment and have done this many > times. I'd like to know which machines I have already mapped. How > can I get the list? The domain controller is Win Server 2003 SP1 > You can use the Windows mmc with the ADSI snap-in to look at AD. So you can the look at each account and look for servicePrincipalName attributes. If you also have LDAP, you can do an ldapserach for the servicePrincipalName=xxxx or maybe even dnsHostName (msktutil sets this.) Any other LDAP browser could be used like JXplorer. Note that AD will accept ldap with SASL gssapi/kerberos so if you have an admin account, you can update AD too. (msktutil uses this.) Something like: ldapsearch -Y GSSAPI -h ad1.eng.crd.com -b dc=enginering,dc=crd,dc=com \ serviceprincipalname="HTTP/service10" > Thanks in advance. > > Dave > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
