Listing what's already mapped

Douglas E. Engert deengert at anl.gov
Mon Oct 1 14:56:52 EDT 2007



treschaud33 at yahoo.com wrote:
> How can I list all the servers that I have mapped with the Ktpass
> command?
> 
> We are using Kerberos for SSO from our Middle Tier application that we
> develop.  To make this work I must map the middle Tier's servername
> with an account in the domain.  Here's a sample ktpass command that I
> use to do this:
> 
>      ktpass -princ HTTP/server10 at ENGINEERING.CRD.COM -mapuser svruser -
> pass svruserpwd

Each principal should have its own account, as the account has a single
password that is used to generate the keys and keytab for all the servicePrincipalNames
mapped to that account. ANd kerberos principals are normally FQDN,
so it is not clear if the above -princ will work either.

For the account name since the account name length < 19, and be unique in
the forest, we use a convention of <service>-<shorthostname>-<div>
where the principal is <service>/<shorthostname>.<div>.anl.gov at realm.
and if it too long, abbreviate the service name, like h for host.

Rather the using ktpass we use msktutil (Google for it)
It uses ldap and authenticates to AD, adds the account and SPNS, and creates
keytabs. Samba has some tools too.

> 
> I'm working in a development environment and have done this many
> times.  I'd like to know which machines I have already mapped.  How
> can I get the list?  The domain controller is Win Server 2003 SP1
> 
You can use the Windows mmc with the ADSI snap-in to look at AD. So
you can the look at each account and look for servicePrincipalName attributes.

If you also have LDAP, you can do an ldapserach for the servicePrincipalName=xxxx
or maybe even dnsHostName (msktutil sets this.)

Any other LDAP browser could be used like JXplorer.

Note that AD will accept  ldap with SASL gssapi/kerberos so if you have an admin
account, you can update AD too. (msktutil uses this.)

Something like:
ldapsearch -Y GSSAPI -h ad1.eng.crd.com -b dc=enginering,dc=crd,dc=com \
serviceprincipalname="HTTP/service10"

> Thanks in advance.
> 
> Dave
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list