Problems integrating Kerberos 5-1.2.5 client into W2K AD
Dirk Pape
pape at inf.fu-berlin.de
Thu Sep 19 02:51:08 EDT 2002
Hello Anthony,
In article
<10E6C696E40B654AB7B5A934DB181F9A5FA8 at foxmail.georgefox.edu>,
abrock at georgefox.edu ("Anthony Brock") wrote:
> ***** BEGIN *****
>
> C:\Temp>ktpass -princ host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU -pass
> mypassword -out test.keytab
> Key created.
> Output keytab to test.keytab:
>
> Keytab version: 0x502
> keysize 70 host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU ptype 1
> (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8
> (0xeac72f15ead37c4f)
>
> ***** END *****
you have to create a service account for the machine in your w2k AD and
map the host-principal name to that account. There is a step-by-step
guide from Microsoft for Kerberos interoperabilty on
<http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp>, which describes the procedure.
It says you have to create a *user*-account but we also succeeded with a
"computer" account which becomes attached with the SPN. The
ktpass-command then looks:
ktpass -princ host/web.georgefox.edu at CAMPUS.GEORGEFOX.EDU -mapuser
<account-for-the-machine> -pass mypassword -out test.keytab
you have to see a message like "mapping successful".
install the keytab on the unix-host in the appropriate place (mostly
/etc/krb5/krb5.keytab) and authenticate the host with kinit -k.
Bye,
Dirk.
--
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190
More information about the Kerberos
mailing list