Cross Realm Administration?

Douglas E. Engert deengert at
Mon Jan 10 10:06:06 EST 2011

On 1/7/2011 3:12 PM, Jeff draht wrote:
> We are testing Single Signon;
> I have a MS2008 KDC and AD server are one in the same, and a
> Solaris_10 ldap Client in a SAP environment which we seem to have
> partially kerberized. I can do a klist, klist -k and see my keytab...
> single signon works for the most part, we can login and authenticate
> against the AD Server.
> We used the provided by SUN/Oracle to establish a Kerberos
> Client Conenction.
> I have even merged a few userid entries to the keytab. I can list them
> out. klist -k
> I can kinit userid w/o issue. All ldap client commands function just
> fine...
> I created the keytabs for one userid manually and the other I had the
> PC team create using ktpass as per the Instructios on MS TechNet.  He
> created a key and I merged in on the solaris machine. I can see the
> entries just fine.

I think you have a misunderstanding or how this should work.
User keytab files are never merged in with the system keytab!

Services have principals, and store keys in keytabs. Keytabs are normally
accessed by servivces like login, or sshd. Users use passwords
to get tickets using kinit.  (Users can use keytabs, but usually only
for cron jobs where the user is not present to type the password.
The keytab can be created locally from the password.)

> What I cannot do is make kadmin work so that I can do remote kerberos
> administration or get the seam tool to authenticate?

AD does not respond to kadmin. You have to do the AD administration
using AD tools.

> When I run kadmin I get the following error;
> We have a  default REALM, i just did not want to post it all over the
> internet...
> Authenticating as principal jdraht/admin at REALM with password.
> kadmin: Client not found in Kerberos database while initializing
> kadmin interface
> When I run seam tool it populates 2 of 4 fields correctly and I add
> jdraht/admin at REALM and the password I get "Client not found in
> kerberos database?"
> The PC Admins claim that all fields are correct, they show me
> snapshots.  Also, they claim that the DC's replicated the info fine.
> I am out of ideas?  I have been and am reading every blog, support doc
> out there and am trying suggestions w/negres...

Start with this old but still valuable description of how AD and Kerberos
can work together in a number od different ways:

Keep in mind that Microsoft referees to a "user" account for the
host/hastname at realm. This in not to be confused with Kerberos users.

Google for: kerberos windows

> Sun helped with the LDAP, but claim that kerberos and AD is not their
> area of expertise?
> Also and this may be related, the SAP DBA's are trying to use SNC and
> there seems to be an issue there?  Maybe a Library issue or related to
> the above? Not sure yet? One problem at a time?
> Has anyone gone thru this exercise?
> If you have any suggestions? or can point me in a direction for
> support, please advise?

Authentication is done via Kerberos, so you also need the Sun pam_krb5.

Authorization can then be done using: the local passwrd/shadow/group files,
NIS or LDAP. With LDAP, AD can be the server, or you could have an independent
LDAP server. You would then start to populate the LDAP database with the
data from NIS or passwd and group files.

So to start with, get the Kerberos authentication working using users listed
in the password file.  (A shadow password field of NP can be use to indicate
that no there is no password, i.e. some other method of authentication is needed
like Kerberos.)

> Thanks, Jeff
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list