SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at
Fri Mar 20 00:15:37 EDT 2009

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at] 
> Sent: Friday, March 20, 2009 9:09 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Ströder; kerberos at
> Subject: Re: SASL authentication
> Start with:
> Then look for ksetup program and 2003.
> Also look at Samba for net join and windbind  and also look 
> for msktutil.
> Solaris has a script to do this

Hi, Douglas: 

Thanks for providing the URL for my reference. It is helpful, but I still have some questions. 

Here is the tutorial said: 
To create a service instance account in Active Directory 

1. Use the Active Directory Management tool to create a user account for the UNIX service; for example, create an account with the name sampleUnix1.

2. Use the Ktpass tool to set up an identity mapping for the user account. Use this command:

    C:> Ktpass princ service-instance at REALM mapuser account-name -pass password -out unixmachine.keytab

    The format of the Kerberos service-instance name is: service/host.realm_name, for example:

    C:> ktpass princ sample/ at RESKIT.COM -mapuser sampleUnix1 pass password out unix1.keytab

    In this case, an account is created with a meaningful name sampleUnix1, and a service principal name mapping is added for sample/ This is the purpose of using Ktpass with the princ and mapuser switches.

3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host.
Apart from this, things like ksetup seems irrelavant to my case. 

For my case, I want to add an LDAP service principle into the keytab file, so it probably should be:
    C:> ktpass princ ldap/ at SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab
In our environment, there is a domain called "SESSWIN2003.COM", and there is only one machine in this domain, with the hostname called "". But to create the keytab file for the LDAP server (ADS in the same machine), what user/password should I set?

Xu Qiang

More information about the Kerberos mailing list