Creating an MIT style keytab for an existing Windows AD member computer
Nicolas Williams
Nicolas.Williams at sun.com
Wed Jul 23 15:33:54 EDT 2008
On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible [1].
Nor ist it possible to extract them from MIT krb5 KDCs.
> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a keytab file.
You can build keytabs directly on MIT krb5 systems using the MIT krb5
API, or even interactively with kpasswd and ktutil (an early version of
adjoin [see below] did just that).
Or you could probably just use or adapt Sun's adjoin/ksetpw tools to
your purposes:
http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp
http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf
http://opensolaris.org/os/project/winchester/files/adjoin-s10u4.tar.gz
http://opensolaris.org/os/project/winchester/files/adjoin-s10u5.tar.gz
> Note that you must have at least account operator privilege to set a
> password in AD.
Indeed.
> Mike
>
> [1] There is a freeware utility called ktexport that can extract the
> keys from a DC and dump them into a keytab but it is only (sometimes)
> useful for debugging purposes with WireShark. The resulting keytab is
> not valid for use with any kind of service.
Sure, if you have direct, privileged access to a KDC you could always
extract its keys. Portions of the KDC could run directly in a hardware
keystore, making it really hard to get to the keys, but that's not the
case here.
Nico
--
More information about the Kerberos
mailing list