[30150] in Kerberos
Re: Creating an MIT style keytab for an existing Windows AD member
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Jul 23 15:34:52 2008
Date: Wed, 23 Jul 2008 14:33:54 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Michael B Allen <ioplex@gmail.com>
Message-ID: <20080723193354.GW25547@Sun.COM>
Mail-Followup-To: Michael B Allen <ioplex@gmail.com>,
Edward Irvine <eirvine@tpg.com.au>, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <78c6bd860807231101o64f71bbfx8cfd14af78ccd4c0@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible [1].
Nor ist it possible to extract them from MIT krb5 KDCs.
> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a keytab file.
You can build keytabs directly on MIT krb5 systems using the MIT krb5
API, or even interactively with kpasswd and ktutil (an early version of
adjoin [see below] did just that).
Or you could probably just use or adapt Sun's adjoin/ksetpw tools to
your purposes:
http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp
http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf
http://opensolaris.org/os/project/winchester/files/adjoin-s10u4.tar.gz
http://opensolaris.org/os/project/winchester/files/adjoin-s10u5.tar.gz
> Note that you must have at least account operator privilege to set a
> password in AD.
Indeed.
> Mike
>
> [1] There is a freeware utility called ktexport that can extract the
> keys from a DC and dump them into a keytab but it is only (sometimes)
> useful for debugging purposes with WireShark. The resulting keytab is
> not valid for use with any kind of service.
Sure, if you have direct, privileged access to a KDC you could always
extract its keys. Portions of the KDC could run directly in a hardware
keystore, making it really hard to get to the keys, but that's not the
case here.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
