service principals in AD fro unix kerberos clients

Ryan Odgers odgersr at out.co.za
Mon Jan 26 10:04:14 EST 2004


"Dirk Pape" <pape at inf.fu-berlin.de> wrote in message
news:pape-C456F5.09163326012004 at news.fu-berlin.de...
> In article <EYydnYZ5UJlKeZLdRVn-hA at is.co.za>,
>  "Ryan Odgers" <odgersr at out.co.za> wrote:
>
> > If the KDC is win2000 and the kerberos client is UNIX or MIT, does
> > cross-realm authentication still need to be set up?
> > It is the same kerberos realm, the unix machine points to the 2000 KDC
as
> > its server.
>
> we have done this successfully here:
>
> having Unix hosts sshd and apache authenticate users from Windows 2003
> AD via kerberos.
> We use Win 2003 Server (but it also worked with windows 2000 Server AD),
> I remember SFU was necessary to make it work.
>
> I do not see, what we did differnent from what you did, but there were
> two things we had to struggle with:
>
> 1. you have to set up one user account (not computer account) for every
> service you want to be kerberized (this reads: there is a one-to-one-map
> between service principals and service accounts.

I have AD users corresponding to the services eg. telnet and ftp and have
used ktpass to generate the following principals.
telnet/xxx.test.com at TEST.COM
ftp/xxx.test.com at TEST.COM

I just get lost in how to get a ticket from windows to use that service. if
i am on the unix machine and do a kinit with the service as above, I can
authenticate and if I do a klist the ticket is listed. How do I make a
kerberos aware client on windows to authenticate using these credentials?
>
> 2. you have to be sure that you have the correct name of the principal
> (as used by the service) and that the keytab is found and readable by
> the service.
>
> Regards,
> Dirk.
>
> --
> Dr. Dirk Pape (Leiter des Rechnerbetriebs)
> FB Mathematik und Informatik der FU-Berlin
> Takustr. 9, 14195 Berlin
> Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190




More information about the Kerberos mailing list