RE: SASL authentication

Thu, 19 Mar 2009 21:25:16 -0700 

> -----Original Message-----
> From: Douglas E. Engert [mailto:[email protected]] 
> Sent: Friday, March 20, 2009 9:09 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Ströder; [email protected]
> Subject: Re: SASL authentication
> 
> Start with:
> http://technet.microsoft.com/en-us/library/bb742433.aspx
> Then look for ksetup program and 2003.
> Also look at Samba for net join and windbind  and also look 
> for msktutil.
> Solaris has a script to do this

Hi, Douglas: 

Thanks for providing the URL for my reference. It is helpful, but I still have 
some questions. 

Here is the tutorial said: 
=============================================
To create a service instance account in Active Directory 

1. Use the Active Directory Management tool to create a user account for the 
UNIX service; for example, create an account with the name sampleUnix1.

2. Use the Ktpass tool to set up an identity mapping for the user account. Use 
this command:

    C:> Ktpass princ service-insta...@realm mapuser account-name -pass password 
-out unixmachine.keytab

    The format of the Kerberos service-instance name is: 
service/host.realm_name, for example:

    C:> ktpass princ sample/[email protected] -mapuser sampleUnix1 
pass password out unix1.keytab

    In this case, an account is created with a meaningful name sampleUnix1, and 
a service principal name mapping is added for sample/unix1.reskit.com. This is 
the purpose of using Ktpass with the princ and mapuser switches.

3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host.
=============================================
Apart from this, things like ksetup seems irrelavant to my case. 

For my case, I want to add an LDAP service principle into the keytab file, so 
it probably should be:
=============================================
    C:> ktpass princ ldap/[email protected] -mapuser 
<what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab
=============================================
In our environment, there is a domain called "SESSWIN2003.COM", and there is 
only one machine in this domain, with the hostname called "sesswin2003.com". 
But to create the keytab file for the LDAP server (ADS in the same machine), 
what user/password should I set?

Thanks,
Xu Qiang
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to