service principal management with Active Directory KDC

Michael B Allen mba2000 at ioplex.com
Tue Apr 3 12:20:06 EDT 2007


On Tue, 03 Apr 2007 10:17:41 -0400
Rohit Kumar Mehta <rohitm at engr.uconn.edu> wrote:

> 
> Hi we want to use our Active Directory KDC to manage service principals 
> for nfs and ssh for quite a few Linux and Solaris machines, and would 
> prefer to automate generating the service principals and installing them 
> on the clients.
<snip>
> If anyone has any thoughts or ideas about this, I'd be happy to hear 
> them.  Thanks!

Hi Rohit,

There's a PHP extension for Linux called Plexcel that can create accounts
in AD, add, modify and delete attributes (e.g. SPNs), set passwords and,
most importantly, it has the following function:

  bool plexcel_gen_service_keytab(resource $px,
          string $acctname,
          string $password,
          string $keytab_path)

The plexcel_gen_service_keytab function creates a keytab file from the
supplied account name and password. The first entry of the keytab file
will have a principal matching the UPN of the named account. Additional
entries will be created for each servicePrincipalName set on the named
account. All cryptographic keys will be the same. The key is generated
from the supplied password. The current enctype and knvo are extracted
from a TGT acquired for the account.

This function was added for the Plexcel Setup utility that the operator
would not have to do anything on the Windows end to install it. But it has
occured to us that this could be the basis for a simple administrative
tool used to generate service keytab files for UNIX services. In fact,
the Plexcel Setup utility can do it now. Below is a listing from a keytab
file I created with Plexcel Setup. I added the SPNs, set the password
and voila the keytab file was created.

  # ktutil -k /tmp/plexcel.keytab list
  /tmp/plexcel.keytab:

  Vno  Type              Principal
    2  arcfour-hmac-md5  appserver1 at FOO.NET
    2  arcfour-hmac-md5  host/appserver1.foo.net at FOO.NET
    2  arcfour-hmac-md5  ftp/fs1.foo.net at FOO.NET
    2  arcfour-hmac-md5  nfs/fs1.foo.net at FOO.NET
    2  arcfour-hmac-md5  HTTP/appserver1.foo.net at FOO.NET

Of course you don't have to use the same account for all services. This
is just the way Plexcel Setup works. The API is very easy to use. There's
a detailed developer's guide with an API reference.

Also, PHP has an SSH extension that looks like it can scp files around
(but I've never tried it). And Plexcel fully supports SSO and delegation
so the said SSH extension should be able to use your creds to do the copy
so at no time should you have to enter a password or put passwords in
config files. You just have to access the site with credentials suitable
for creating accounts in AD.

Anyway the package is here:

  http://www.ioplex.com/plexcel.html

Note that even though it's a commercial product, it is free for up to
25 users so a web utility used by a few admins isn't going to cost you
a dime. And there's no registration required to download it. We only
ask that if you have any problems that you let us know so that we can
make the product better for the paying customers.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/



More information about the Kerberos mailing list