UNIX GSS-API / Windows SSPI :
Douglas E. Engert
deengert at anl.gov
Mon Sep 20 15:32:44 EDT 2004
The MIT ktutil has an addent subcommand added in 1999-08-06 sometime
prior to version 1.2.2. Heimdal implemented the add subcommand in
March of 1998.
As you point out the Solaris 9 verison of ktutil does not have this.
I don't think it has arcfour support in the libs either. We use MIT
Kerberos on Solaris which does introperate will with Windows AD.
Jacques Lebastard wrote:
> Douglas E. Engert wrote:
>>>> If your service is running on Unix, then you must make sure that
>>>> you create a keytab containing entries for each of the keys that
>>>> Windows can produce for the SPN. (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
>>>> The DES enctypes will only be used if the account associated with
>>>> the SPN is marked DES only.
>>> How can I check this and, second question, how can I generate a
>>> keytab with RC4-HMAC encryption ? The ktpass tool does not accept the
>>> RC4-HMAC crypto type:
>> If you knew the password (or key) added to AD, you could try using
>> instead of ktpass.
>> Use addent ... -e arcfour-hmac-md5
>> Ktutil let me create a keytab, I don't know if is correct.
> No such 'addent' command for ktutil running on Solaris 9 :-( :
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos