kadmin on a Solaris Client?

Douglas E. Engert deengert at anl.gov
Mon Jan 24 16:25:39 EST 2011



On 1/24/2011 2:24 PM, Jeff draht wrote:
> Doug thank you very much for that very detailed information.
>
> Just one last question though?
>
> Every time the xf1adm user logs in, do they have to kinit -k -t  to
> that keytab file?

When you say xf1adm logs on, what do you mean?

You could still have a local login at the console using some
password in shadow, or NIS, then use the user keytab to get kerberos
credentials.

If xf1adm is a real user consider using pam_krb5, so no user keytab
is needed. and the user enteres a password.

If is from cron, then the kinit -k -t would be part of the cron
job or use kstart.

If the login is from some other machine, via ssh consider using ssh
with GSSAPI. ssh to sshd can use GSSAPI that uses Kerberos,
and can delegate a ticket too so there is no user keytab on the sshd machine.


> Otherwise, how does the userid know about it?
>
> Jeff
>
>
> On Jan 14, 5:28 pm, "Douglas E. Engert"<deeng... at anl.gov>  wrote:
>> On 1/14/2011 3:26 PM, Russ Allbery wrote:
>>
>>
>>
>>
>>
>>> "Draht, Jeffrey"<jdr... at passhe.edu>    writes:
>>
>>>> I’d rather communicate this way if possible?
>>
>>>> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos
>>>> Client?
>>
>>>> The KDC and AD Server are Windows 2008.
>>
>>>> I am having difficulty with keytabs.  I’d rather have the Unix Team
>>>> Administer Rather than have the Intel/MS Team Create them?
>>
>>> Unfortunately, each major Kerberos implementation uses a substantially
>>> different kadmin protocol (well, Heimdal's kadmind server supports most of
>>> the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin
>>> protocol at all.
>>
>>> You can create something kadmin-like to run on UNIX and create keytabs for
>>> AD if you use LDAP to create the object in AD and set its password and
>>> then generate a key from the same password.  I don't know if anyone has
>>> already done that work and provided it in some easy-to-use packaged form,
>>> though.
>>
>> That would be the msktutil program.http://download.systemimager.org/~finley/msktutil/
>> Supports AES and AD 2008. Can also run on Solaris.
>>
>> The Solaris adjoin script in effect does this too.
>>
>> But from our previous e-mails, if what you are trying to do is
>> create a keytab for a user for SAP, and the user is already in AD,
>> all you need is/usr/bin/ktutil that comes with Solaris:
>>
>> Assuming the xf1... at LAB-PASSHE.LCL is in AD with a know password,
>> This could create a keytab for it. The use can do it them selves:
>>
>> % ktutil
>> ktutil:   addent -password -p xf1... at LAB-PASSHE.LCL -k 2 -e arcfour-hmac-md5
>> Password for xf1... at LAB-PASSHE.LCL:
>> ktutil:  wkt /tmp/test.keytab
>> ktutil:  q
>>
>> % klist -k -e -t /tmp/test.keytab
>> Keytab name: FILE:/tmp/test.keytab
>> KVNO Timestamp               Principal
>> ---- ----------------- ---------------------------------------------------------
>>      2 01/14/11 16:21:04 xf1... at LAB-PASSHE.LCL (ArcFour with HMAC/md5)
>>
>> Store it in some other location then /tmp, on a local disk readable
>> only be the user.
>>
>> Looking at you previous notes, you where trying to use
>> xf1... at passhe.edu. Is it really xf1... at LAB-PASSHE.LCL?
>>
>> If not, see my comments about uppercase realm names even if
>> Windows is case insensitive,  and are you really trying to do
>> cross realm between LAB-PASHE.LCL and passhe.edu?
>>
>>
>>
>> --
>>
>>    Douglas E. Engert<DEEng... at anl.gov>
>>    Argonne National Laboratory
>>    9700 South Cass Avenue
>>    Argonne, Illinois  60439
>>    (630) 252-5444- Hide quoted text -
>>
>> - Show quoted text -
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list