Douglas E. Engert wrote: > Xu, Qiang (FXSGSC) wrote: > > Michael said in an earilier note ktpass was not want you needed. > Unless I missed something, I assumed the ldap service is going to be > running on a Unix system. In which case ktpass is what you want.
As I understood the original poster he wants to use LDAP SASL Bind with mechanism GSSAPI in his LDAP client when accessing MS AD. For this to work a normal kinit should be sufficient for a first test of his LDAP client code. If his own LDAP *client* runs as a long-running service (e.g. a networked printer) then he would need a keytab extracted with the help of ktpass.exe. AFAICS in these postings the first test did not succeed yet. >> In reference to >> http://technet.microsoft.com/en-us/library/bb742433.aspx, it seems the >> only tool to use is ktpass. But the problem is, as I said before, I >> don't know which user to associate in creating the keytab file. > > The term "user account" used by Microsoft refers to the AD > objectClass user. It has nothing to do with the user's who will be > using the service. You are in effect creating a service account for > the service, and ktpass will map the principal of the service to the > account. Since account names can not have / and have to by 19 > characters or less, you could name the account something like > ldap-sesswin2003. You create a user with a sAMAccountName and a userPrincipalName (LDAP attribute names) and then use this userPrincipalName as parameter for kinit. LDAP-bind with SASL/GSSAPI will automagically obtain a service ticket. See my local test with OpenLDAP command-line tool below (all names manually obfuscated). If something fails check your DNS and /etc/krb5.conf especially regarding enc types. Maybe I got the original poster wrong though... Ciao, Michael. -----------Get Ticket Granting Ticket (TGT)----------- $ kinit [email protected] Password for [email protected]: -----------List Tickets----------- $ klist Ticket cache: FILE:/tmp/krb5cc_4242 Default principal: [email protected] Valid starting Expires Service principal 03/21/09 00:39:14 03/21/09 10:39:16 krbtgt/[email protected] renew until 03/22/09 00:39:14 Kerberos 4 ticket cache: /tmp/tkt4242 klist: You have no tickets cached -----------LDAP-Bind SASL/GSSAPI----------- $ ldapsearch -H ldap://dc1.testdomain.dom -b "" -s base -Y GSSAPI "(objectClass=*)" namingContexts SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. dn: namingContexts: DC=testdomain,DC=dom namingContexts: CN=Configuration,DC=testdomain,DC=dom namingContexts: CN=Schema,CN=Configuration,DC=testdomain,DC=dom namingContexts: DC=DomainDnsZones,DC=testdomain,DC=dom namingContexts: DC=ForestDnsZones,DC=testdomain,DC=dom -----------List Tickets----------- $ klist Ticket cache: FILE:/tmp/krb5cc_4242 Default principal: [email protected] Valid starting Expires Service principal 03/21/09 00:39:14 03/21/09 10:39:16 krbtgt/[email protected] renew until 03/22/09 00:39:14 03/21/09 00:40:57 03/21/09 10:39:16 ldap/[email protected] renew until 03/22/09 00:39:14 Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
