Cross Realm Administration?

Jeff draht jdraht at
Thu Jan 13 10:25:55 EST 2011

Here is the piece you requested to view in my /etc/krb5/krb5.conf

It looks like others, similar to the Docs?

        LAB-PASSHE.LCL = {
                kdc = drsaddcd01.lab-passhe.lcl
                admin_server = drsaddcd01.lab-passhe.lcl
                kdc = drsaddcd01.lab-passhe.lcl
                kdc = drsaddcd02.lab-passhe.lcl
                kdc = drsaddcd03.lab-passhe.lcl
                kpasswd_server = drsaddcd01.lab-passhe.lcl
                kpasswd_protocol = SET_CHANGE

        .lab-passhe.lcl = LAB-PASSHE.LCL
        lab-passhe.lcl = LAB-PASSHE.LCL

Regarding the system keytab file? /etc/krb5/krb5.keytab

So I am understanding it to be for Services only?

ldap/drsaddcd01.lab-passhe.lcl at LAB-PASSHE.LCL
host/yeoman.lab-passhe.lcl at LAB-PASSHE.LCL

The please explain a personal keytab?
So the AD Server creates the keytab.

I have a request from SAP to create a personal keytab for userid
This is what they are asking for?

So the keytab is created by the AD Server using ktpass?
Then I take it on the unix machine and run the kinit command?

I must save that keytab then and point xf1adm to always look at it?

KRB5_KTNAME=/<directory>/xf1.keytab.MD5.SUN (location of the keytab)

kinit -k -t /<directory>/xf1.keytab.MD5.SUN xf1adm at

More information about the Kerberos mailing list