Generating Keyabs for Windows Accounts on Linux

Michael B Allen mba2000 at ioplex.com
Mon Mar 26 12:06:31 EDT 2007 

Hello,

>From time to time I've seen people asking about generating keytabs on
Windows with ktpass.exe for UNIX and Linux services. Our new product
(which is free for up to 25 users) is a PHP extension for Linux that
can communicate with Active Directory to perform a variety of tasks. One
of the functions in this extension is called plexcel_gen_service_keytab
and is defined as:

  bool plexcel_gen_service_keytab(resource $px,
          string $acctname,
          string $password,
          string $keytab_path)

The plexcel_gen_service_keytab function creates a keytab file from the
supplied account name and password. The first entry of the keytab file
will have a principal matching the UPN of the named account. Additional
entries will be created for each servicePrincipalName set on the named
account. All cryptographic keys will be the same. The key is generated
from the supplied password. The current enctype and knvo are extracted
from a TGT for the account.

It has occured to us that this could be the basis for a simple
administrative tool used to create accounts and generate service keytab
files for non-Windows systems on Windows networks. In fact, the setup
tool used to install the product can do it now. Below is a listing from
a keytab file I just created with Plexcel Setup without touching the
Windows side (and it created the account as well). I added the SPNs,
set the password and voila the keytab file was created.

  # ktutil -k /tmp/plexcel.keytab list
  /tmp/plexcel.keytab:
  
  Vno  Type              Principal
    2  arcfour-hmac-md5  appserver1 at FOO.NET
    2  arcfour-hmac-md5  host/appserver1.foo.net at FOO.NET
    2  arcfour-hmac-md5  ftp/fs1.foo.net at FOO.NET
    2  arcfour-hmac-md5  nfs/fs1.foo.net at FOO.NET
    2  arcfour-hmac-md5  HTTP/appserver1.foo.net at FOO.NET

If you're interested, it's called Plexcel and is available for download
here (no registration required):

  http://www.ioplex.com/plexcel.html

Again, it's free for 25 user's so a little PHP script used by a few
admins isn't going to trip up the limit.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the Kerberos mailing list