service principals in AD fro unix kerberos clients

[Dirk Pape]

Hello,

In article <B8-dne8jS6HvsYjdRVn-hg at is.co.za>,
 "Ryan Odgers" <odgersr at out.co.za> wrote:

> I have AD users corresponding to the services eg. telnet and ftp and have
> used ktpass to generate the following principals.
> telnet/xxx.test.com at TEST.COM
> ftp/xxx.test.com at TEST.COM
> 
> I just get lost in how to get a ticket from windows to use that service. if
> i am on the unix machine and do a kinit with the service as above, I can
> authenticate and if I do a klist the ticket is listed. How do I make a
> kerberos aware client on windows to authenticate using these credentials?

as far as I know and did, you have to look into the documentation of the 
services (here ftp and telnet) to find out, what SPN they will look for 
and where (in which keytab) they will look for it. There might be some 
additional config parameters to force the service to use another keytab 
or another SPN but that is not always the case.

If you found out you have to create the keytab entry for this SPN in the 
AD, map it to the service account user you created (ktpass ... /mapuser 
...), transfer it to the service host and merge it into the service's 
keytab.

If the unix service runs under a different user (e. g. ftp for the 
ftp-service) you have to ensure that this user (and only this user) has 
read access to the keytab which contains the key.

Regards,
Dirk.

-- 
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190