Hi Xu , Please find my comments inline. Xu, Qiang (FXSGSC) wrote: >> -----Original Message----- >> From: Douglas E. Engert [mailto:[email protected]] >> Sent: Friday, March 20, 2009 9:09 AM >> To: Xu, Qiang (FXSGSC) >> Cc: Michael Ströder; [email protected] >> Subject: Re: SASL authentication >> >> Start with: >> http://technet.microsoft.com/en-us/library/bb742433.aspx >> Then look for ksetup program and 2003. >> Also look at Samba for net join and windbind and also look >> for msktutil. >> Solaris has a script to do this >> > > Hi, Douglas: > > Thanks for providing the URL for my reference. It is helpful, but I still > have some questions. > > Here is the tutorial said: > ============================================= > To create a service instance account in Active Directory > > 1. Use the Active Directory Management tool to create a user account for the > UNIX service; for example, create an account with the name sampleUnix1. > That is correct. > 2. Use the Ktpass tool to set up an identity mapping for the user account. > Use this command: > > C:> Ktpass princ service-insta...@realm mapuser account-name -pass > password -out unixmachine.keytab > > The format of the Kerberos service-instance name is: > service/host.realm_name, for example: > > C:> ktpass princ sample/[email protected] -mapuser sampleUnix1 > pass password out unix1.keytab > > In this case, an account is created with a meaningful name sampleUnix1, > and a service principal name mapping is added for sample/unix1.reskit.com. > This is the purpose of using Ktpass with the princ and mapuser switches. > > Try -setupn -setpass /ptype KRB5_NTPRINCIPAL options as well . > 3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host. > ============================================= > Apart from this, things like ksetup seems irrelavant to my case. > > Ksetup is useless in your case.It is used for a windows machine to join a Linux KDC. > For my case, I want to add an LDAP service principle into the keytab file, so > it probably should be: > ============================================= > C:> ktpass princ ldap/[email protected] -mapuser > <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab > ============================================= > In our environment, there is a domain called "SESSWIN2003.COM", and there is > only one machine in this domain, with the hostname called "sesswin2003.com". > But to create the keytab file for the LDAP server (ADS in the same machine), > what user/password should I set? > > Few questions before we go ahead : 1. What is your host server ? ( like windows server 2003 SP2 SE , EE ) 2. What is your ktpass version ?
I have done quite an extensive exercise on this recently and so please take care of following things : 1.Its very important you have the right version of ktpass on right operating system . 2. Please use right options with ktpass . > Thanks, > Xu Qiang > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > Thanks nikhil ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
