Automating keytab creation when using windows 2003 KDC and linux clients
Markus Moeller
huaraz at moeller.plus.com
Mon Jan 2 09:48:13 EST 2006
Sorry I didn't check the link, it was working some time ago fine. I think
the only way to automate it is via the ldap interface to Active Directory
( at least I am not aware of any other easy way). You may be able to write a
GSSAPI client server app to create the AD entry and fetch the keytab.
Regards
Markus
<sandypossible at gmail.com> wrote in message
news:1136205560.145899.224640 at z14g2000cwz.googlegroups.com...
> Hi,
>
> Thanks a lot for the reply. I am trying to implement kerberos on an
> embedded device. I used linux systems to understand interoperability
> with windows.
>
> Tools like net ads join has other dependencies such as ldap. Since I am
> trying for an embedded device, it looks like it is not feasible. Could
> you please tell me if there are any other simple ways of doing it ?
>
> Also the link:
> http://www.pppl.gov/~dperry/msktutil/ doesnt open :(
>
> - Sandy.
>
> Markus Moeller wrote:
>> Instead of using ktpass on the kdc you can do all directly from the Unix
>> system, by using tools like net ads join from samba. (Keep in mind that
>> you
>> need to authenticate to the kdc to create accounts and if you automate
>> this
>> completly (e.g. with a hardcoded password) the password will be known at
>> some point and may compromise your overall security)
>>
>> See also my response from November
>> http://mailman.mit.edu/pipermail/kerberos/2005-November/008836.html
>>
>> Markus
>>
>> <sandypossible at gmail.com> wrote in message
>> news:1136182831.864285.319000 at f14g2000cwb.googlegroups.com...
>> > Hi all,
>> >
>> > I am using windows 2003 Domain controller as KDC and I am using linux
>> > machines. The steps what I have followed to make these linux machines
>> > to use windows 2003 server are as follows:
>> > 1. Configured windows 2003 as domain controller, added the linux
>> > machines as users.
>> > 2. Generated keytab files using ktpass tool.
>> > 3. Tested the gss server and gss client communication. It works fine.
>> >
>> > I notice that I had to add the linux mahines as users, generate
>> > seperate keytab files for each account and copy those on to the linux
>> > machines. The problem is it requires as lot of manual stuffs to do. I
>> > am looking in to how to automate this procedure. Could you please
>> > suggest how to go about it ? Could you please let me know if this is
>> > the standard method of doing it as of now ? Are there any other methods
>> > ? I am really aiming at automating this procedure as it will be
>> > difficult to configure non windows systems which act as application
>> > servers and if they are large in number.
>> >
>> > Could you please let me know your suggestions ?
>> >
>> > - Sandy.
>> >
>
More information about the Kerberos
mailing list