SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Wed Mar 18 05:05:32 EDT 2009


> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 17, 2009 8:20 PM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> First try to do a kinit with providing the password. After 
> that you could try using keytab files (on your LDAP client) 
> if needed in your setup.

Found an example on how to create the keytab file at http://docs.hp.com/en/J4269-90049/ch04s03.html: 
=============================================
Use the ktpass tool to create the keytab file and set up an identity mapping the host account. 
The following is an example showing you how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm cup.hp.com:

C:> ktpass -princ host/myhost at CUP.HP.COM -mapuser myhost -pass mypasswd -out unix.keytab
=============================================
>From the context, this seems to be done in the author's LDAP server, which is an ADS in Windows 2003 server. 

For my case, Kerberos server and LDAP server are all in one machine with Windows 2003 server OS installed on it. Should it be the following format?
=============================================
C:> ktpass -princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser sesswin2003.com -pass mypasswd -out ldap.keytab
=============================================
sesswin2003.com is a primary domain controller, and the only machine in its domain is itself. So the domain name is the same as the hostname. But in the ADS, shall I create a user named after the computer's hostname - "sesswin2003.com"? This seems ridiculous. 

By the way, after the keytab file is generated, I would transfer it to the printer, which is the LDAP client. Which directory should I put the file in?

Or if I have missed anything? Looking forward to your help, Michael.

Thanks, 
Xu Qiang



More information about the Kerberos mailing list