kadmin on a Solaris Client?

Douglas E. Engert deengert at anl.gov
Fri Jan 14 17:28:04 EST 2011

On 1/14/2011 3:26 PM, Russ Allbery wrote:
> "Draht, Jeffrey"<jdraht at passhe.edu>  writes:
>> I’d rather communicate this way if possible?
>> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos
>> Client?
>> The KDC and AD Server are Windows 2008.
>> I am having difficulty with keytabs.  I’d rather have the Unix Team
>> Administer Rather than have the Intel/MS Team Create them?
> Unfortunately, each major Kerberos implementation uses a substantially
> different kadmin protocol (well, Heimdal's kadmind server supports most of
> the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin
> protocol at all.
> You can create something kadmin-like to run on UNIX and create keytabs for
> AD if you use LDAP to create the object in AD and set its password and
> then generate a key from the same password.  I don't know if anyone has
> already done that work and provided it in some easy-to-use packaged form,
> though.

That would be the msktutil program.
Supports AES and AD 2008. Can also run on Solaris.

The Solaris adjoin script in effect does this too.

But from our previous e-mails, if what you are trying to do is
create a keytab for a user for SAP, and the user is already in AD,
all you need is/usr/bin/ktutil that comes with Solaris:

Assuming the xf1adm at LAB-PASSHE.LCL is in AD with a know password,
This could create a keytab for it. The use can do it them selves:

% ktutil
ktutil:   addent -password -p xf1adm at LAB-PASSHE.LCL -k 2 -e arcfour-hmac-md5
Password for xf1adm at LAB-PASSHE.LCL:
ktutil:  wkt /tmp/test.keytab
ktutil:  q

% klist -k -e -t /tmp/test.keytab
Keytab name: FILE:/tmp/test.keytab
KVNO Timestamp               Principal
---- ----------------- ---------------------------------------------------------
    2 01/14/11 16:21:04 xf1adm at LAB-PASSHE.LCL (ArcFour with HMAC/md5)

Store it in some other location then /tmp, on a local disk readable
only be the user.

Looking at you previous notes, you where trying to use
xf1adm at passhe.edu. Is it really xf1adm at LAB-PASSHE.LCL?

If not, see my comments about uppercase realm names even if
Windows is case insensitive,  and are you really trying to do
cross realm between LAB-PASHE.LCL and passhe.edu?



  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list