Creating an MIT style keytab for an existing Windows AD member computer

Wed Jul 23 21:40:46 EDT 2008

On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> 
> >> Extracting the keys from AD is not possible [1].
> 
> > Nor ist it possible to extract them from MIT krb5 KDCs.
> 
> It is as of 1.6 using kadmin.local (not that this changes the rest of your
> point).

Right, it doesn't -- running kadmin.local on the KDC with sufficient
privilege qualifies as "privileged access to a KDC" :)