Douglas E. Engert deengert at anl.gov
Mon Sep 20 15:32:44 EDT 2004

The MIT ktutil has an addent subcommand added in 1999-08-06 sometime
prior to version 1.2.2.  Heimdal implemented the add subcommand in
March of 1998.

As you point out the Solaris 9 verison of ktutil does not have this.
I don't think it has arcfour support in the libs either. We use MIT
Kerberos on Solaris which does introperate will with Windows AD.

Jacques Lebastard wrote:

> Douglas E. Engert wrote:
>>>> If your service is running on Unix, then you must make sure that
>>>> you create a keytab containing entries for each of the keys that
>>>> Windows can produce for the SPN.  (RC4-HMAC, DES-CBC-MD5, DES-CBC-CRC).
>>>> The DES enctypes will only be used if the account associated with
>>>> the SPN is marked DES only.
>>> How can I check this and, second question, how can I generate a 
>>> keytab with RC4-HMAC encryption ? The ktpass tool does not accept the 
>>> RC4-HMAC crypto type:
>> If you knew the password (or key) added to AD, you could try using 
>> ktutil,
>> instead of ktpass.
>> Use addent ... -e arcfour-hmac-md5
>> Ktutil let me create a keytab, I don't know if is correct.
> No such 'addent' command for ktutil running on Solaris 9 :-(  :


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list