Problems integrating Kerberos 5-1.2.5 client into W2K AD

Dirk Pape pape at
Thu Sep 19 02:51:08 EDT 2002

Hello Anthony,

In article 
<10E6C696E40B654AB7B5A934DB181F9A5FA8 at>,
 abrock at ("Anthony Brock") wrote:

> ***** BEGIN *****
> C:\Temp>ktpass -princ host/ at CAMPUS.GEORGEFOX.EDU -pass
> mypassword -out test.keytab
> Key created.
> Output keytab to test.keytab:
> Keytab version: 0x502
> keysize 70 host/ at CAMPUS.GEORGEFOX.EDU ptype 1
> (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8
> (0xeac72f15ead37c4f)
> ***** END *****

you have to create a service account for the machine in your w2k AD and 
map the host-principal name to that account. There is a step-by-step 
guide from Microsoft for Kerberos interoperabilty on 
s.asp>, which describes the procedure.

It says you have to create a *user*-account but we also succeeded with a 
"computer" account which becomes attached with the SPN. The 
ktpass-command then looks:

ktpass -princ host/ at CAMPUS.GEORGEFOX.EDU -mapuser 
<account-for-the-machine> -pass mypassword -out test.keytab

you have to see a message like "mapping successful".

install the keytab on the unix-host in the appropriate place (mostly 
/etc/krb5/krb5.keytab) and authenticate the host with kinit -k.


Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190

More information about the Kerberos mailing list