AD keytabs for unix host

swbell kerygma2 at swbell.net
Mon May 24 11:00:11 EDT 2004


The keytab file is where shared secrets are stored for things that can't be
stored in the user's brain - secrets for host accounts, services, etc.

Kinit obtains a normal user's ticket granting ticket without looking in the
keytab because there isn't anything in there that kinit needs.  The shared
secred that kinit uses is the password the user types in.

However, kinit can get a ticket granting ticket using the keytab for a host
account for example:  kinit -k host/paul.mydomain.com at MYDOMAIN.COM

A service (like smtp) can use the keytab too.  This is what
gss_accept_sec_context will do for you when you kerberize a server.  The
service principal name (smtp/mailer.mydomain.com at MYDOMAIN.COM) can have an
entry in the keytab.

in article 304f3217.0405240541.122a18da at posting.google.com, melissa_benkyo
at wyl_lyf at yahoo.com wrote on 5/24/04 8:41 AM:

> hello all,
> 
> I'm quite confused about this situation. I have read the step by step
> kerberos interoperability and it is stated that I should add the unix
> host and ktutil the keytab file created.
> 
> I'm trying to login from unix machine using AD users. If I removed the
> keytab file , it still works. I'm not sure then what the keytab is
> for. is this a bug on my kerberos? even kinit works without the keytab
> file???
> 
> thanks! any help is much appreciated!




More information about the Kerberos mailing list