problem with 2003 krb and mit krb integration with mozilla thunderbird on a multiple realm scenario
Dan Perry
dperry at pppl.gov
Thu Feb 2 12:41:35 EST 2006
>
>What we are stating to do is use a program, msktutil, that will use LDAP to
>added the account and add the UPN and SPNs, and update the keytab. Its
>still
>under development, and I hope the author will publicize it more in the
>future.
>[I am BCC'ing him on this note.]
>
I've been meaning to send a note out to a Kerberos/Active Directory interop
group for a little while now...
If you're interested, I have a tool called msktutil, which is designed to be
a 'better' ktpass. You can download the source from:
http://www.pppl.gov/~dperry/msktutil.tar.gz
This tool was written about a year and a half ago, and we use it regularly in
our production Linux cluster. It should build with MIT Kerberos 1.3 or
later, a recent openldap library (I've used 2.2 and 2.3) and a recent SASL
library. It also should build with heimdal 0.7. If the MIT folk like this
utility, I'd be happy to work on donating this code to their project and
having it integrated into their distribution.
msktutil will let you create computer accounts, service principals, and
keytabs directly in active directory. This tool will create a computer, and
associated one or more principals with that account, for example you can
create a computer account called 'linux-host' and associate principals such
as host/linux-host.domain and ftp/linux-host.domain with that computer
account. In following with active directory's model, msktutil can create one
primary principal (the UPN), and as many service principals as you desire.
Msktutil also includes some flexibility (Thanks to recent feedback I've
gotten from Douglas Engert) in naming computer accounts. For example, you
may wish to have one principal for host/fqdn, and another for http/fqdn, and
you may wish for those principals to be separate for security reason. With
msktutil, you can use the --computer-name option to specify different
computers for the two services, i.e. server-host and server-http.
Tiago, you may want to give msktutil a shot. It should be much easier to get
working then ktpass.
-Dan
More information about the Kerberos
mailing list