Automating keytab creation when using windows 2003 KDC and linux clients

Markus Moeller huaraz at moeller.plus.com
Mon Jan 2 06:31:43 EST 2006


Instead of using ktpass on the kdc you can do all directly from the Unix 
system, by using tools like net ads join from samba. (Keep in mind that you 
need to authenticate to the kdc to create accounts and if you automate this 
completly (e.g. with a hardcoded password) the password will be known at 
some point and may compromise your overall security)

See also my response from November 
http://mailman.mit.edu/pipermail/kerberos/2005-November/008836.html

Markus

<sandypossible at gmail.com> wrote in message 
news:1136182831.864285.319000 at f14g2000cwb.googlegroups.com...
> Hi all,
>
> I am using windows 2003 Domain controller as KDC and I am using linux
> machines. The steps what I have followed to make these linux machines
> to use windows 2003 server are as follows:
> 1. Configured windows 2003 as domain controller, added the linux
> machines as users.
> 2. Generated keytab files using ktpass tool.
> 3. Tested the gss server and gss client communication. It works fine.
>
> I notice that I had to add the linux mahines as users, generate
> seperate keytab files for each account and copy those on to the linux
> machines. The problem is it requires as lot of manual stuffs to do. I
> am looking in to how to automate this procedure. Could you please
> suggest how to go about it ? Could you please let me know if this is
> the standard method of doing it as of now ? Are there any other methods
> ? I am really aiming at automating this procedure as it will be
> difficult to configure non windows systems which act as application
> servers and if they are large in number.
>
> Could you please let me know your suggestions ?
>
> - Sandy.
> 





More information about the Kerberos mailing list