On 1/24/2011 2:24 PM, Jeff draht wrote: > Doug thank you very much for that very detailed information. > > Just one last question though? > > Every time the xf1adm user logs in, do they have to kinit -k -t to > that keytab file?
When you say xf1adm logs on, what do you mean? You could still have a local login at the console using some password in shadow, or NIS, then use the user keytab to get kerberos credentials. If xf1adm is a real user consider using pam_krb5, so no user keytab is needed. and the user enteres a password. If is from cron, then the kinit -k -t would be part of the cron job or use kstart. If the login is from some other machine, via ssh consider using ssh with GSSAPI. ssh to sshd can use GSSAPI that uses Kerberos, and can delegate a ticket too so there is no user keytab on the sshd machine. > Otherwise, how does the userid know about it? > > Jeff > > > On Jan 14, 5:28 pm, "Douglas E. Engert"<[email protected]> wrote: >> On 1/14/2011 3:26 PM, Russ Allbery wrote: >> >> >> >> >> >>> "Draht, Jeffrey"<[email protected]> writes: >> >>>> I’d rather communicate this way if possible? >> >>>> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos >>>> Client? >> >>>> The KDC and AD Server are Windows 2008. >> >>>> I am having difficulty with keytabs. I’d rather have the Unix Team >>>> Administer Rather than have the Intel/MS Team Create them? >> >>> Unfortunately, each major Kerberos implementation uses a substantially >>> different kadmin protocol (well, Heimdal's kadmind server supports most of >>> the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin >>> protocol at all. >> >>> You can create something kadmin-like to run on UNIX and create keytabs for >>> AD if you use LDAP to create the object in AD and set its password and >>> then generate a key from the same password. I don't know if anyone has >>> already done that work and provided it in some easy-to-use packaged form, >>> though. >> >> That would be the msktutil >> program.http://download.systemimager.org/~finley/msktutil/ >> Supports AES and AD 2008. Can also run on Solaris. >> >> The Solaris adjoin script in effect does this too. >> >> But from our previous e-mails, if what you are trying to do is >> create a keytab for a user for SAP, and the user is already in AD, >> all you need is/usr/bin/ktutil that comes with Solaris: >> >> Assuming the [email protected] is in AD with a know password, >> This could create a keytab for it. The use can do it them selves: >> >> % ktutil >> ktutil: addent -password -p [email protected] -k 2 -e arcfour-hmac-md5 >> Password for [email protected]: >> ktutil: wkt /tmp/test.keytab >> ktutil: q >> >> % klist -k -e -t /tmp/test.keytab >> Keytab name: FILE:/tmp/test.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> --------------------------------------------------------- >> 2 01/14/11 16:21:04 [email protected] (ArcFour with HMAC/md5) >> >> Store it in some other location then /tmp, on a local disk readable >> only be the user. >> >> Looking at you previous notes, you where trying to use >> [email protected]. Is it really [email protected]? >> >> If not, see my comments about uppercase realm names even if >> Windows is case insensitive, and are you really trying to do >> cross realm between LAB-PASHE.LCL and passhe.edu? >> >> >> >> -- >> >> Douglas E. Engert<[email protected]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444- Hide quoted text - >> >> - Show quoted text - > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
