[30902] in Kerberos

home help back first fref pref prev next nref lref last post

Re: SASL authentication

daemon@ATHENA.MIT.EDU (Nikhil Mishra)
Fri Mar 20 13:49:03 2009

Message-ID: <49C32212.90800@gs-lab.com>
Date: Fri, 20 Mar 2009 10:26:50 +0530
From: Nikhil Mishra <nikhilm@gs-lab.com>
MIME-Version: 1.0
To: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Cc: =?iso-8859-1?q?michael_str=f6?=@pch.MIT.EDU,
   "kerberos@mit.edu" <kerberos@mit.edu>,
   =?ISO-8859-1?Q?der?= <michael@stroeder.com>,
   "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi Xu ,
 
Please find my comments inline.

Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert@anl.gov] 
>> Sent: Friday, March 20, 2009 9:09 AM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Michael Ströder; kerberos@mit.edu
>> Subject: Re: SASL authentication
>>
>> Start with:
>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>> Then look for ksetup program and 2003.
>> Also look at Samba for net join and windbind  and also look 
>> for msktutil.
>> Solaris has a script to do this
>>     
>
> Hi, Douglas: 
>
> Thanks for providing the URL for my reference. It is helpful, but I still have some questions. 
>
> Here is the tutorial said: 
> =============================================
> To create a service instance account in Active Directory 
>
> 1. Use the Active Directory Management tool to create a user account for the UNIX service; for example, create an account with the name sampleUnix1.
>   
That is correct.
> 2. Use the Ktpass tool to set up an identity mapping for the user account. Use this command:
>
>     C:> Ktpass princ service-instance@REALM mapuser account-name -pass password -out unixmachine.keytab
>
>     The format of the Kerberos service-instance name is: service/host.realm_name, for example:
>
>     C:> ktpass princ sample/unix1.reskit.com@RESKIT.COM -mapuser sampleUnix1 pass password out unix1.keytab
>
>     In this case, an account is created with a meaningful name sampleUnix1, and a service principal name mapping is added for sample/unix1.reskit.com. This is the purpose of using Ktpass with the princ and mapuser switches.
>
>   
Try -setupn -setpass /ptype KRB5_NTPRINCIPAL options as well .
> 3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host.
> =============================================
> Apart from this, things like ksetup seems irrelavant to my case. 
>
>   
Ksetup is useless in your case.It is used for a windows machine to join
a Linux KDC.
> For my case, I want to add an LDAP service principle into the keytab file, so it probably should be:
> =============================================
>     C:> ktpass princ ldap/sesswin2003.com@SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab
> =============================================
> In our environment, there is a domain called "SESSWIN2003.COM", and there is only one machine in this domain, with the hostname called "sesswin2003.com". But to create the keytab file for the LDAP server (ADS in the same machine), what user/password should I set?
>
>   
Few questions before we go ahead :
1. What is your host server ? ( like windows server 2003 SP2 SE , EE )
2. What is your ktpass version ?

I have done quite an extensive exercise on this recently and so please take
care of following things :

1.Its very important you have the right version of ktpass on right
operating system .
2. Please use right options with ktpass .


> Thanks,
> Xu Qiang
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>   


Thanks

nikhil

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home help back first fref pref prev next nref lref last post