windows 2003 AD and keytab file generation
Paul Moore
paul.moore at centrify.com
Wed Jul 2 18:28:17 EDT 2008
In windows all computer accounts have multiple SPNs; at least
host/computer, host/computer.domain, some have as many as 10 (or even
more!)
Heres my keytab
31 host/paul-es5.ent2k3.seattle.test at ENT2K3.SEATTLE.TEST (ArcFour with
HMAC/md5)
31 host/paul-es5 at ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5)
31 HTTP/paul-es5.ent2k3.seattle.test at ENT2K3.SEATTLE.TEST (ArcFour with
HMAC/md5)
31 HTTP/paul-es5 at ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5)
31 paul-es5$@ENT2K3.SEATTLE.TEST (ArcFour with HMAC/md5)
The keytab entry is the same for each one - I don't recall the keytab
maint commands but you should be able to duplicate the key entry
(I created my keytab using our commercial product that is much easier
than doing it manually with ktpass etc)
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Douglas E. Engert
Sent: Wednesday, July 02, 2008 7:02 AM
To: Shambhulal R. Sharma
Cc: kerberos at mit.edu
Subject: Re: windows 2003 AD and keytab file generation
Shambhulal R. Sharma wrote:
> Hi All
>
> I am trying to use Active Directory installed on Windows Server 2003
> as KDC. I followed the Microsoft step-by-step guide
> http://technet.microsoft.com/en-us/library/bb742433.aspx to create a
> windows user account, ktpass command to map a service principal name
> to the windows user account and generate a keytab file. So far I can
> map one service principal name to one windows user account which works
fine.
>
> I have a requirement where multiple services running on a system
> should map their service principals to a single Windows User
> preferably computer account. I would like to generate/prepare a single
> keytab file for all service [ftp,http, etc.] principal names using
> ktpass and ktutil commands.
>
From reading your note and notes from others in the past, you may be
confused by the use of the term "user account" in the Microsoft article.
You need to have an account for the service, which has objectClass:
top, person, organizationalPerson and user. (It can also have an
objectClass computer.) This account has nothing to do with the users
who will use the service.
It is an account for the service. It has to have a sAMAccountName that
is restricted to 19 characters and unique in the forest. We use a
convention
something like: <service>-<simplehostname>-<div>
a fictional example: host-mylinux-it
and the servicePrincipalName would be: host/myliniux.it.ga.com at GA.COM
The account can be located anywhere in the directory tree.
> My questions:
>
> Is it possible to use a computer account to map multiple service
> principal names. I know about setspn command which can allow
> add/delete/list operations to manage service principal association
> with a windows user/computer account.
Yes. But note that since there is only one password per account, all
these principals will uses the same password to generate the keys. With
RC4 there is no salt so they will have the same key. This may not be
what you want.
>
> The problem seems to be with ktpass command, I do not know how I can
> generate keytab file for all service principal associated with a
> single user/computer account. Every time I try to use the ktpass
-princ ...
> command it changes the kvno number which invalidates the previous
> keytab files. I tried ktpass with multiple -princ <...> -princ <...>
> options, which generates the keytab file only for the last principal
> name specified in the ktpass command line.
The best way to do this is assign a different account for each service,
so each has its own password and thus a different key.
Like:
host-mylinux host/mylinux.ga.com at GA.COM
HTTP-mylinux HTTP/mylinux.ga.com at GA.COM
You could then ues the unix tools to merge keytab files generated by
ktpass if needed.
Or you could use something like msktutil or the Solaris scripts to do
all the ldap commands to AD to add/mod accounts and manage keytabs.
>
> Is it possible to have multiple service principals associated with a
> single computer/user account. Due to some security reasons this is not
> permitted on Windows.
Yes it is, but the will share the same key.
>
> SAM SHARMA
>
>
>
> <http://technet.microsoft.com/en-us/library/bb742433.aspx#EBAA>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list