Xu, Qiang (FXSGSC)
Qiang.Xu at fujixerox.com
Fri Mar 20 00:15:37 EDT 2009
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Friday, March 20, 2009 9:09 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Ströder; kerberos at mit.edu
> Subject: Re: SASL authentication
> Start with:
> Then look for ksetup program and 2003.
> Also look at Samba for net join and windbind and also look
> for msktutil.
> Solaris has a script to do this
Thanks for providing the URL for my reference. It is helpful, but I still have some questions.
Here is the tutorial said:
To create a service instance account in Active Directory
1. Use the Active Directory Management tool to create a user account for the UNIX service; for example, create an account with the name sampleUnix1.
2. Use the Ktpass tool to set up an identity mapping for the user account. Use this command:
C:> Ktpass princ service-instance at REALM mapuser account-name -pass password -out unixmachine.keytab
The format of the Kerberos service-instance name is: service/host.realm_name, for example:
C:> ktpass princ sample/unix1.reskit.com at RESKIT.COM -mapuser sampleUnix1 pass password out unix1.keytab
In this case, an account is created with a meaningful name sampleUnix1, and a service principal name mapping is added for sample/unix1.reskit.com. This is the purpose of using Ktpass with the princ and mapuser switches.
3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host.
Apart from this, things like ksetup seems irrelavant to my case.
For my case, I want to add an LDAP service principle into the keytab file, so it probably should be:
C:> ktpass princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab
In our environment, there is a domain called "SESSWIN2003.COM", and there is only one machine in this domain, with the hostname called "sesswin2003.com". But to create the keytab file for the LDAP server (ADS in the same machine), what user/password should I set?
More information about the Kerberos