service principals in AD fro unix kerberos clients

Douglas E. Engert deengert at anl.gov
Fri Jan 30 09:54:28 EST 2004



Dirk Pape wrote:
> 
> Hello,
> 
> In article <B8-dne8jS6HvsYjdRVn-hg at is.co.za>,
>  "Ryan Odgers" <odgersr at out.co.za> wrote:
> 
> > I have AD users corresponding to the services eg. telnet and ftp and have
> > used ktpass to generate the following principals.
> > telnet/xxx.test.com at TEST.COM
> > ftp/xxx.test.com at TEST.COM
> >

Usually the principal would be host/xxx.test.com at TEST.COM
The same principal is used by all the "login" type deamons
that start user processes, or allow access to the local file 
systems as a user.  

You can look at the client code to see what it wants, or 
use a network trace. http://www.ethereal.com/ has a nice
trace program that can format Kerberos packets, as the client
requests a ticket for the service. 



> > I just get lost in how to get a ticket from windows to use that service. if
> > i am on the unix machine and do a kinit with the service as above, I can
> > authenticate and if I do a klist the ticket is listed. How do I make a
> > kerberos aware client on windows to authenticate using these credentials?
> 
> as far as I know and did, you have to look into the documentation of the
> services (here ftp and telnet) to find out, what SPN they will look for
> and where (in which keytab) they will look for it. There might be some
> additional config parameters to force the service to use another keytab
> or another SPN but that is not always the case.
> 
> If you found out you have to create the keytab entry for this SPN in the
> AD, map it to the service account user you created (ktpass ... /mapuser
> ...), transfer it to the service host and merge it into the service's
> keytab.
> 
> If the unix service runs under a different user (e. g. ftp for the
> ftp-service) you have to ensure that this user (and only this user) has
> read access to the keytab which contains the key.
> 
> Regards,
> Dirk.
> 
> --
> Dr. Dirk Pape (Leiter des Rechnerbetriebs)
> FB Mathematik und Informatik der FU-Berlin
> Takustr. 9, 14195 Berlin
> Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list