SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at
Wed Mar 18 05:05:32 EDT 2009

> -----Original Message-----
> From: kerberos-bounces at 
> [mailto:kerberos-bounces at] On Behalf Of Michael Str?der
> Sent: Tuesday, March 17, 2009 8:20 PM
> To: kerberos at
> Subject: Re: SASL authentication
> First try to do a kinit with providing the password. After 
> that you could try using keytab files (on your LDAP client) 
> if needed in your setup.

Found an example on how to create the keytab file at 
Use the ktpass tool to create the keytab file and set up an identity mapping the host account. 
The following is an example showing you how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm

C:> ktpass -princ host/myhost at CUP.HP.COM -mapuser myhost -pass mypasswd -out unix.keytab
>From the context, this seems to be done in the author's LDAP server, which is an ADS in Windows 2003 server. 

For my case, Kerberos server and LDAP server are all in one machine with Windows 2003 server OS installed on it. Should it be the following format?
C:> ktpass -princ ldap/ at SESSWIN2003.COM -mapuser -pass mypasswd -out ldap.keytab
============================================= is a primary domain controller, and the only machine in its domain is itself. So the domain name is the same as the hostname. But in the ADS, shall I create a user named after the computer's hostname - ""? This seems ridiculous. 

By the way, after the keytab file is generated, I would transfer it to the printer, which is the LDAP client. Which directory should I put the file in?

Or if I have missed anything? Looking forward to your help, Michael.

Xu Qiang

More information about the Kerberos mailing list