"Keytab extraction using krb5_set_password() from windows KDC"

sandypossible@gmail.com sandypossible at gmail.com
Tue Apr 4 11:31:51 EDT 2006


Hi all,

I am working on implementing kerberos on an embedded device. I am
aiming at using "windows 2000 server as KDC" .

Please note that I had to add host names as users, generate seperate
keytab files for each account and copy those on to the target. The
problem is it requires as lot of manual stuffs to do. I am looking in
to how to automate this procedure.

I queried earlier regarding this and got replies which were of good
help to me. I am trying to use the netjoin reference code given by
Microsoft which is written by M Moeller. In earlier replies I got reply
whose link is given below:

http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/
2b856ea605b5a64f/f12f4b8734a9d9cc?q=sandypossible&rnum=3#f12f4b8734a9d9cc

The summary of the reply was create the account manually on the windows
AD. Then use the kerberos  APIs such as change_password() to extract
the key. I am trying this approach and I am able to extract the key in
to keytab file.

Steps followed:
1) Created manually the host name "test" account under "users". Using
the ktpass, mapped the host name "test" to the MIT kerberos format with
out extracting the key to the keytab file.( This I did by following the
reply from the kerberos group ).
-> ktpass -princ host/test.kerberos.com at KERBEROS.COM -mapuser test
-pass passwd

2) Got the TGT for the Administrator of the domain on the target.

and then used the set_password() function which extracta the key and
stores in to the keytab file.

After this I used "kinit -k host/test.kerberos.com" and got the TGT.
My question is:
1) will this really verify that the password was changed successfully
and I have the correct key extracted ?  Are there any other methods to
verify this ?
2) Is the mapping using ktpass tool really required as given in step 1
above ? Could you please explain ?
3) Will this approach work for windows 2003 server ?

Regards.
Sandy.




More information about the Kerberos mailing list