How to write script for ktutil
Ubaid Rahman
ubaid.u.rahman at gsk.com
Thu May 19 12:20:19 EDT 2011
Here is a way I've been using..
/usr/krb5/sbin/ktutil <<EOF
rkt $DIR/keytabs/$HOST.keytab
wkt /etc/krb5/krb5.keytab
list
exit
EOF
Ubaid Rahman
Senior AIX Administrator
SCS C&ES Infrastructure
Admin 1 # 146E
Ph # *.703.2817 (internal) or 919.483.2817 (external)
# 919.314.7177 (cell)
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of kerberos-request at mit.edu
Sent: Thursday, May 19, 2011 12:03 PM
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 101, Issue 14
Send Kerberos mailing list submissions to
kerberos at mit.edu
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
kerberos-request at mit.edu
You can reach the person managing the list at
kerberos-owner at mit.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."
Today's Topics:
1. Re: BUG Report : 'krb5.ini' not found on Windows. (Weijun Wang)
2. How to write script for ktutil (Carfield Yim)
3. How to buil Kerberos for windows (Dao, Khanh (IS))
4. Instant Messaging client-server solution? (Jaap Winius)
5. Re: Instant Messaging client-server solution? (Russ Allbery)
6. Re: Instant Messaging client-server solution? (Dax Kelson)
----------------------------------------------------------------------
Message: 1
Date: Wed, 18 May 2011 11:49:05 +0800
From: Weijun Wang <weijun.wang at oracle.com>
Subject: Re: BUG Report : 'krb5.ini' not found on Windows.
To: jaltman at secure-endpoints.com
Cc: kerberos at mit.edu
Message-ID: <4DD341B1.7080905 at oracle.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 05/18/2011 02:43 AM, Jeffrey Altman wrote:
> Application specific configuration files do not belong in \WINDOWS.
> The correct place for krb5.ini is \ProgramData\Kerberos\krb5.ini which
> requires that the environment variable KRB5_CONFIG be set to refer to
> that file.
>
> I do not know whether or not Java will pay attention to the environment
> variable.
We are not reading this environment variable, will consider adding it.
So, the logic will be
1. If java system property java.security.krb5.conf set, use it
2. If KRB5_CONFIG set, use it
3. If $JRE/lib/security/krb5.conf exists, use it
4. If Windows:
a) If there is krb5.ini in GetWindowsDirectory, use it
b) If there is krb5.ini in GetSystemWindowsDirectory, use it
c) Use USERDNSDOMAIN and LOGONSERVER environment variables
5. If *nix:
a) If Solaris, try /etc/krb5/krb5.conf
b) Otherwise, try /etc/krb5.conf
c) Use DNS
Thanks
Weijun
>
> Jeffrey Altman
>
>
> On 5/17/2011 6:53 AM, Onkesh Bansal wrote:
>> Hello,
>>
>>
>>
>> Configuration>>
>>
>>>>> Windows 2008 R2 (Service Pack 1) workstation.
>>
>>
>>
>> I am having this problem on my machine and am not able to figure out
>> what is the root cause.
>>
>> The scenario seems with Terminal Services installed on the system and
>> when the authentication has to be done via the LDAP over the local
>> network.
>>
>>
>> This BUG has been logged with ORACLE-JAVA at
>> http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already
>> provided with a work around.
>>
>> My Query is:
>>
>> 1. What is the reason behind this bug. I need to know the root
>> cause for this.
>>
>> 2. What should be my steps (apart from the workaround provided
>> with the bug resolution) so as to prevent any future re-occurrences?
>> ie I need a fix.
>>
>> 3. Can it be related to the version changes of Kerberos or is it
>> because of Windows 2008?
>>
>>
>>
>> Thanks& Regards,
>>
>> Onkesh Bansal
>>
>> Engineer-1 QA,
>>
>> Quark Media House (P) Ltd.
>>
>> obansal at quark.com
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
------------------------------
Message: 2
Date: Wed, 18 May 2011 02:44:03 -0700 (PDT)
From: Carfield Yim <carfield at gmail.com>
Subject: How to write script for ktutil
To: kerberos at mit.edu
Message-ID:
<75285564-eee9-4a0d-be1b-9220682cef4d at d19g2000prh.googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
We need to automatically generate Kerberos Keytab at Solaris machine
on Windows Active directory. The tool ktutil can let us do that
manually on solaris. However, look like there is no way to put the
command ktutil in a script, I tried to put all the command, as well as
passwords, in the file "input.txt" , and run
cat input.txt | ktutil
However, ktutil will complaint about : "addent: Cannot read password
while adding new entry"
Anyway I can put that in a script? From some web search there is a
perl module Authen-Krb5-Admin for this task, but the corresponding
documentation is not much, will anyone have good pointer about that?
Or I can simply do that using shell script?
------------------------------
Message: 3
Date: Wed, 18 May 2011 19:43:17 +0000
From: "Dao, Khanh (IS)" <khanh.dao at ngc.com>
Subject: How to buil Kerberos for windows
To: "kerberos at mit.edu" <kerberos at mit.edu>
Message-ID:
<1FA88A9D6D15044191C3B2BCAFCC00CB064DD6 at XMBC3085.northgrum.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
I am seeking the info how to build latest Kerberos 5 Release 1.9.1 for windows. Following the instruction I got
C:\Program Files\Microsoft SDKs\Windows\v6.1\include\ntstatus.h(11618) : warning
C4005: 'STATUS_SXS_INVALID_DEACTIVATION' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v6.1\include\winnt.h(1857) : see
previous definition of 'STATUS_SXS_INVALID_DEACTIVATION'
..\..\..\config\rm.bat ..\obj\i386\dbg\ccache.lst
..\..\..\util\windows\obj\i386\dbg\libecho -p ccache\ obj\i386\dbg\*.obj
ccapi\obj\i386\dbg\*.obj > ..\obj\i386\dbg\ccache.lst
NMAKE : fatal error U1077: 'for' : return code '0x15a3e8'
Stop.
NMAKE : fatal error U1077: 'for' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'for' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'for' : return code '0x1'
Stop.
Is there any installer for Windows for latest Kerberos 5 Release 1.9.1 ?
Thanks
Khanh Dao
Software Engineer
Northrop Grumman Information Systems, Inc.
Defense Mission Systems Division
Airbone & Maritime System (AMS)
9326 Spectrum Center Blvd., Mail Stop CA222/1138
San Diego, CA 92123
858-514-9177
Fax: 858-514-9010
------------------------------
Message: 4
Date: Wed, 18 May 2011 02:29:32 +0200
From: Jaap Winius <jwinius at umrk.nl>
Subject: Instant Messaging client-server solution?
To: kerberos at mit.edu
Message-ID: <20110518022932.11396as5584mrtc8 at bitis.umrk.nl>
Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed"
Hi folks,
Can anyone recommend and an Instant Messaging solution, client and
server, that plays nice with Kerberos 5?
The group of people I would be setting it up for all recently switched
from using Windows XP workstations to Debian squeeze with Xfce.
They're still getting used to the environment, so I don't want to
offend their sensibilities too much with an IM client that is too
minimal. They currently would prefer to use Pidgin, but are still
flexible.
Their network consists of three geographically separate locations,
each with its own Debian squeeze server that includes an iptables
firewall and NAT, as well as IPv6 (and another firewall for that). The
three servers communicate with each other via the Internet, but always
through the firewalls (and NATs for IPv4). Zephyr may be a solution,
but I'm not sure it would work with the NATs.
Thanks,
Jaap
------------------------------
Message: 5
Date: Wed, 18 May 2011 13:21:56 -0700
From: Russ Allbery <rra at stanford.edu>
Subject: Re: Instant Messaging client-server solution?
To: kerberos at mit.edu
Message-ID: <87pqnfep3v.fsf at windlord.stanford.edu>
Content-Type: text/plain; charset=us-ascii
Jaap Winius <jwinius at umrk.nl> writes:
> Can anyone recommend and an Instant Messaging solution, client and
> server, that plays nice with Kerberos 5?
For client, Pidgin works well with GSS-API and is cross-platform. For
server, we ended up using OpenFire, but I know there are others out there
that can also do GSS-API.
OpenFire has the drawback that it's written in Java and uses a completely
bizarre configuration mechanism that we had a lot of trouble with. You
also have to fiddle with it a bit to get GSS-API to work properly. It
wasn't an entirely obvious deployment, unfortunately.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
------------------------------
Message: 6
Date: Wed, 18 May 2011 14:40:24 -0600
From: Dax Kelson <dkelson at gurulabs.com>
Subject: Re: Instant Messaging client-server solution?
To: Jaap Winius <jwinius at umrk.nl>
Cc: kerberos at mit.edu
Message-ID: <1305751224.2681.3.camel at mentor.gurulabs.com>
Content-Type: text/plain; charset="UTF-8"
On Wed, 2011-05-18 at 02:29 +0200, Jaap Winius wrote:
> Hi folks,
>
> Can anyone recommend and an Instant Messaging solution, client and
> server, that plays nice with Kerberos 5?
We used Pidgin and OpenFire in our office. Works well. Was pretty
straightforward to configure.
Dax Kelson
Guru Labs
------------------------------
_______________________________________________
Kerberos mailing list
Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
End of Kerberos Digest, Vol 101, Issue 14
*****************************************
More information about the Kerberos
mailing list