Using Kerberos on UNIX against AD2003

Douglas E. Engert deengert at anl.gov
Thu Sep 28 10:38:06 EDT 2006 


jzm wrote:
> Hello,
> I have to build a solution to authenticate users on both Windows and Unix
> workstations. I have read two tutorials about this subject:
> 
> *
> http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/kerberos_intro.htm
> *
> http://www.microsoft.com/downloads/details.aspx?familyid=144f7b82-65cf-4105-b60c-44515299797d&displaylang=en&Hash=cwNSqMUbevRWz%2beV3cx%2bhgkMKnIxhWQc0UeWuXDU0YRUGy1O%2bqvC6l2nT%2fBCDBjwGTgHQFrALnNABCAKP%2fOppQ%3d%3d
> *
> 
> There is a point I do not understand and I hope you could help me. When you
> want to add a UNIX user in AD, you have to create a keytab file 

No. The Keytab files are for servers, not users. An AD user is a Kerberos
user.


on the
> server (with this command: Ktpass -princ hostname/username.xyz.com at MYREALM
> -mapuser username -pass password -out username.keytab),

The -mapuser is a missleading term. For a server you create in AD what
looks like a "user" account but it is for the server only.  Then the ktpass
command assigns a Service Principal Name or SPN to the "user" account for
this service.  When you create this "user" account for the service, you can
pick a name for it (which must be unique in the forest), we have been using
somthing like <service>-<host>-<first.dns.componemt> (we have an entra DNS
level in most of our names) so if the host was called mylinux.div.anl.gov
the "username" for the service principal would be host-mylinux-div
and the SPN would be host/mylinux.div.anl.gov at ANL.GOV
The commonly used  service name is host. There could be others like
HTTP, pop, cvs, afs or ftp. Using the <service>-<hostname> allows each to
have a different account name and SPN.

So your ktpass should look something like like:

Ktpass -princ host/hostname.xyz.com at MYREALM
    -mapuser host-hostname -pass password -out hostname.keytab

> then go to the
> workstation and merge this file with the workstation's keytab file. Here is
> my question: I have 10 workstations, I want to add a new user who could uses
> any of these workstations, Have I to create 10 keytab files and then merge
> them on the 10 workstations ? 

No. Only add one account for each server.

> Actually I am working with more than 30 UNIX
> users/workstations, so I guess you can understand my problem :) Do I miss
> something ? Is there any easier solutions ?

Yes, msktutil and Samba's winbind. Google for msktutil.

> 
> Thank you !
> Regards, Benoit.

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list