kadmin on a Solaris Client?

Jeff draht jdraht at gmail.com
Mon Jan 24 15:24:09 EST 2011


Doug thank you very much for that very detailed information.

Just one last question though?

Every time the xf1adm user logs in, do they have to kinit -k -t  to
that keytab file?
Otherwise, how does the userid know about it?

Jeff


On Jan 14, 5:28 pm, "Douglas E. Engert" <deeng... at anl.gov> wrote:
> On 1/14/2011 3:26 PM, Russ Allbery wrote:
>
>
>
>
>
> > "Draht, Jeffrey"<jdr... at passhe.edu>  writes:
>
> >> I’d rather communicate this way if possible?
>
> >> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos
> >> Client?
>
> >> The KDC and AD Server are Windows 2008.
>
> >> I am having difficulty with keytabs.  I’d rather have the Unix Team
> >> Administer Rather than have the Intel/MS Team Create them?
>
> > Unfortunately, each major Kerberos implementation uses a substantially
> > different kadmin protocol (well, Heimdal's kadmind server supports most of
> > the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin
> > protocol at all.
>
> > You can create something kadmin-like to run on UNIX and create keytabs for
> > AD if you use LDAP to create the object in AD and set its password and
> > then generate a key from the same password.  I don't know if anyone has
> > already done that work and provided it in some easy-to-use packaged form,
> > though.
>
> That would be the msktutil program.http://download.systemimager.org/~finley/msktutil/
> Supports AES and AD 2008. Can also run on Solaris.
>
> The Solaris adjoin script in effect does this too.
>
> But from our previous e-mails, if what you are trying to do is
> create a keytab for a user for SAP, and the user is already in AD,
> all you need is/usr/bin/ktutil that comes with Solaris:
>
> Assuming the xf1... at LAB-PASSHE.LCL is in AD with a know password,
> This could create a keytab for it. The use can do it them selves:
>
> % ktutil
> ktutil:   addent -password -p xf1... at LAB-PASSHE.LCL -k 2 -e arcfour-hmac-md5
> Password for xf1... at LAB-PASSHE.LCL:
> ktutil:  wkt /tmp/test.keytab
> ktutil:  q
>
> % klist -k -e -t /tmp/test.keytab
> Keytab name: FILE:/tmp/test.keytab
> KVNO Timestamp               Principal
> ---- ----------------- ---------------------------------------------------------
>     2 01/14/11 16:21:04 xf1... at LAB-PASSHE.LCL (ArcFour with HMAC/md5)
>
> Store it in some other location then /tmp, on a local disk readable
> only be the user.
>
> Looking at you previous notes, you where trying to use
> xf1... at passhe.edu. Is it really xf1... at LAB-PASSHE.LCL?
>
> If not, see my comments about uppercase realm names even if
> Windows is case insensitive,  and are you really trying to do
> cross realm between LAB-PASHE.LCL and passhe.edu?
>
>
>
> --
>
>   Douglas E. Engert  <DEEng... at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444- Hide quoted text -
>
> - Show quoted text -




More information about the Kerberos mailing list