Automating configuration while using windows 2003 KDC and linux clients

Douglas E. Engert deengert at anl.gov
Tue Jan 3 14:39:55 EST 2006 


sandypossible at gmail.com wrote:
> Hi all,
> 
> I am using windows 2003 Domain controller as KDC and I am using linux
> machines. The steps what I have followed to make these linux machines
> to use windows 2003 server are as follows:
> 1. Configured windows 2003 as domain controller, added the linux
> machines as users.
> 2. Generated keytab files using ktpass tool.
> 3. Tested the gss server and gss client communication. It works fine.
> 
> I notice that I had to add the linux mahines as users, generate
> seperate keytab files for each account and copy those on to the linux
> machines. The problem is it requires as lot of manual stuffs to do. I
> am looking in to how to automate this procedure. Could you please
> suggest how to go about it ? Could you please let me know if this is
> the standard method of doing it as of now ? Are there any other methods
> ? I am really aiming at automating this procedure as it will be
> difficult to configure non windows systems which act as application
> servers and if they are large in number.
> 
> Could you please let me know your suggestions ?

In addition to the samba approach, there is also the netjoin unix programs
originally written by Micrsoft to add an account to AD, and update the
keytab file.

An updated version is also available, see:

  http://sourceforge.net/projects/netjoin

This works with W2k3 and can use RC4-HMAC.

I started looking at this last month, and it looks promising. It can
work with sasl-2.1.21 and OpenLDAP-2.3.11 and krb5-1.4.1 at least.

Has anyone else looked at this?

There where 150 downloads, but little or no other activity on the
sourceforge site.


I have run into only minor problems:

The ldap code will use the DNS SRV records to find a DC to bind to so
it can add the account. Then the Kerberos change password protocol is
used to change the password for the account. This uses the krb5.conf
or the DNS SRV records to find the admin_server or a master kdc. If
this does not use the same AD as the ldap, then the password may not
be changed, as there is some propagation deley within AD between DCs
of the new account. It looks like with a special krb5.conf and the -s
option one could force the same DC to be used for both.

It is setup to only add host service principals, but needs to be able
to add others like cvs, pop, afs.







 > - Sandy.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list