SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at
Sun Mar 22 22:47:10 EDT 2009

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at] 
> Sent: Saturday, March 21, 2009 3:05 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Ströder; kerberos at
> Subject: Re: SASL authentication
> Michael said in an earilier note ktpass was not want you needed.
> Unless I missed something, I assumed the ldap service is 
> going to be running on a Unix system. In which case ktpass is 
> what you want.

Both LDAP service and Kerberos service are running in the same machine, equipped with Windows 2003 Server OS. So only ktpass is available to generate a keytab file. The LDAP client in the printer is running on a Wind River Linux system. 
> The term "user account" used by Microsoft refers to the AD 
> objectClass user. It has nothing to do with the user's who 
> will be using the service.  You are in effect creating a 
> service account for the service, and ktpass will map the 
> principal of the service to the account. Since account names 
> can not have / and have to by 19 characters or less, you 
> could name the account something like ldap-sesswin2003.
> > Anyway, I've given it a try. First, I created a user 
> "ldapServer/Fair123" in ADS of sesswin2003. Then:
> I don't think you can  had the / in  the name. The -mapuser 
> parameter below has to match the account name. When you run  
> ktpass  it will update the AD account, *AND*and the keytab 
> with the new pass and update the kvno.

In my example, the username is "ldapServer", "Fair123" is the password associated with this user. Sorry for the confusion.
> > ========================================================
> > C:> ktpass -princ ldap/ at SESSWIN2003.COM -mapuser 
> > ldapServer -pass Fair123 -out ldap.keytab 
> > ========================================================
> > It finished smoothly. Then I ftp'ed it to the printer, 
> which is LDAP client and Kerberos client. First I put it into 
> "/etc/openldap", as suggested by 
> ftp'ed what? To where?
> the ldap.keytab is for the ldap server, not the client.
> The default location of a keytab is /etc/krb5.keytab but can  
> be somewhere else where the ldap server can access it.
> See KRB5_KTNAME env variable.

I ftp'ed the output of ktpass command, the keytab file "ldap.keybab" into the printer, which is an LDAP client. The client will use it to identify the LDAP server in SASL communication with the Kerberos server. Michael also pointed it out previously. The following is what Michael said before:
First try to do a kinit with providing the password. After that you could try using keytab files (on your LDAP client) if needed in your setup.
You mean the keytab file should be put in the LDAP server? My LDAP server is ADS in Windows 2003 Server EE, so where should I put it?

Xu Qiang

More information about the Kerberos mailing list