[30064] in Kerberos
windows 2003 AD and keytab file generation
daemon@ATHENA.MIT.EDU (Shambhulal R. Sharma)
Tue Jul 1 18:16:57 2008
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 1 Jul 2008 12:33:37 -0700
Message-ID: <2A760B9242661D48B778599DC639260C059371@VEX.ad.ga.com>
From: "Shambhulal R. Sharma" <Sam.Sharma@ga.com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All
I am trying to use Active Directory installed on Windows Server 2003 as
KDC. I followed the Microsoft step-by-step guide
http://technet.microsoft.com/en-us/library/bb742433.aspx to create a
windows user account, ktpass command to map a service principal name to
the windows user account and generate a keytab file. So far I can map
one service principal name to one windows user account which works fine.
I have a requirement where multiple services running on a system should
map their service principals to a single Windows User preferably
computer account. I would like to generate/prepare a single keytab file
for all service [ftp,http, etc.] principal names using ktpass and ktutil
commands.
My questions:
Is it possible to use a computer account to map multiple service
principal names. I know about setspn command which can allow
add/delete/list operations to manage service principal association with
a windows user/computer account.
The problem seems to be with ktpass command, I do not know how I can
generate keytab file for all service principal associated with a single
user/computer account. Every time I try to use the ktpass -princ ...
command it changes the kvno number which invalidates the previous keytab
files. I tried ktpass with multiple -princ <...> -princ <...> options,
which generates the keytab file only for the last principal name
specified in the ktpass command line.
Is it possible to have multiple service principals associated with a
single computer/user account. Due to some security reasons this is not
permitted on Windows.
SAM SHARMA
<http://technet.microsoft.com/en-us/library/bb742433.aspx#EBAA>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
