> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael Str?der > Sent: Tuesday, March 17, 2009 8:20 PM > To: [email protected] > Subject: Re: SASL authentication > > First try to do a kinit with providing the password. After > that you could try using keytab files (on your LDAP client) > if needed in your setup.
Found an example on how to create the keytab file at http://docs.hp.com/en/J4269-90049/ch04s03.html: ============================================= Use the ktpass tool to create the keytab file and set up an identity mapping the host account. The following is an example showing you how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm cup.hp.com: C:> ktpass -princ host/[email protected] -mapuser myhost -pass mypasswd -out unix.keytab ============================================= >From the context, this seems to be done in the author's LDAP server, which is >an ADS in Windows 2003 server. For my case, Kerberos server and LDAP server are all in one machine with Windows 2003 server OS installed on it. Should it be the following format? ============================================= C:> ktpass -princ ldap/[email protected] -mapuser sesswin2003.com -pass mypasswd -out ldap.keytab ============================================= sesswin2003.com is a primary domain controller, and the only machine in its domain is itself. So the domain name is the same as the hostname. But in the ADS, shall I create a user named after the computer's hostname - "sesswin2003.com"? This seems ridiculous. By the way, after the keytab file is generated, I would transfer it to the printer, which is the LDAP client. Which directory should I put the file in? Or if I have missed anything? Looking forward to your help, Michael. Thanks, Xu Qiang ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
