Doug thank you very much for that very detailed information. Just one last question though?
Every time the xf1adm user logs in, do they have to kinit -k -t to that keytab file? Otherwise, how does the userid know about it? Jeff On Jan 14, 5:28 pm, "Douglas E. Engert" <[email protected]> wrote: > On 1/14/2011 3:26 PM, Russ Allbery wrote: > > > > > > > "Draht, Jeffrey"<[email protected]> writes: > > >> I’d rather communicate this way if possible? > > >> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos > >> Client? > > >> The KDC and AD Server are Windows 2008. > > >> I am having difficulty with keytabs. I’d rather have the Unix Team > >> Administer Rather than have the Intel/MS Team Create them? > > > Unfortunately, each major Kerberos implementation uses a substantially > > different kadmin protocol (well, Heimdal's kadmind server supports most of > > the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin > > protocol at all. > > > You can create something kadmin-like to run on UNIX and create keytabs for > > AD if you use LDAP to create the object in AD and set its password and > > then generate a key from the same password. I don't know if anyone has > > already done that work and provided it in some easy-to-use packaged form, > > though. > > That would be the msktutil > program.http://download.systemimager.org/~finley/msktutil/ > Supports AES and AD 2008. Can also run on Solaris. > > The Solaris adjoin script in effect does this too. > > But from our previous e-mails, if what you are trying to do is > create a keytab for a user for SAP, and the user is already in AD, > all you need is/usr/bin/ktutil that comes with Solaris: > > Assuming the [email protected] is in AD with a know password, > This could create a keytab for it. The use can do it them selves: > > % ktutil > ktutil: addent -password -p [email protected] -k 2 -e arcfour-hmac-md5 > Password for [email protected]: > ktutil: wkt /tmp/test.keytab > ktutil: q > > % klist -k -e -t /tmp/test.keytab > Keytab name: FILE:/tmp/test.keytab > KVNO Timestamp Principal > ---- ----------------- > --------------------------------------------------------- > 2 01/14/11 16:21:04 [email protected] (ArcFour with HMAC/md5) > > Store it in some other location then /tmp, on a local disk readable > only be the user. > > Looking at you previous notes, you where trying to use > [email protected]. Is it really [email protected]? > > If not, see my comments about uppercase realm names even if > Windows is case insensitive, and are you really trying to do > cross realm between LAB-PASHE.LCL and passhe.edu? > > > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444- Hide quoted text - > > - Show quoted text - ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
