On 1/14/2011 3:26 PM, Russ Allbery wrote: > "Draht, Jeffrey"<[email protected]> writes: > >> I’d rather communicate this way if possible? > >> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos >> Client? > >> The KDC and AD Server are Windows 2008. > >> I am having difficulty with keytabs. I’d rather have the Unix Team >> Administer Rather than have the Intel/MS Team Create them? > > Unfortunately, each major Kerberos implementation uses a substantially > different kadmin protocol (well, Heimdal's kadmind server supports most of > the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin > protocol at all. > > You can create something kadmin-like to run on UNIX and create keytabs for > AD if you use LDAP to create the object in AD and set its password and > then generate a key from the same password. I don't know if anyone has > already done that work and provided it in some easy-to-use packaged form, > though.
That would be the msktutil program. http://download.systemimager.org/~finley/msktutil/ Supports AES and AD 2008. Can also run on Solaris. The Solaris adjoin script in effect does this too. But from our previous e-mails, if what you are trying to do is create a keytab for a user for SAP, and the user is already in AD, all you need is/usr/bin/ktutil that comes with Solaris: Assuming the [email protected] is in AD with a know password, This could create a keytab for it. The use can do it them selves: % ktutil ktutil: addent -password -p [email protected] -k 2 -e arcfour-hmac-md5 Password for [email protected]: ktutil: wkt /tmp/test.keytab ktutil: q % klist -k -e -t /tmp/test.keytab Keytab name: FILE:/tmp/test.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------- 2 01/14/11 16:21:04 [email protected] (ArcFour with HMAC/md5) Store it in some other location then /tmp, on a local disk readable only be the user. Looking at you previous notes, you where trying to use [email protected]. Is it really [email protected]? If not, see my comments about uppercase realm names even if Windows is case insensitive, and are you really trying to do cross realm between LAB-PASHE.LCL and passhe.edu? > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
