[30152] in Kerberos
Re: Creating an MIT style keytab for an existing Windows AD member
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Jul 23 21:42:06 2008
Date: Wed, 23 Jul 2008 20:40:46 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20080724014045.GJ25547@Sun.COM>
Mail-Followup-To: Russ Allbery <rra@stanford.edu>, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87wsjcf6dj.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams@sun.com> writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
>
> >> Extracting the keys from AD is not possible [1].
>
> > Nor ist it possible to extract them from MIT krb5 KDCs.
>
> It is as of 1.6 using kadmin.local (not that this changes the rest of your
> point).
Right, it doesn't -- running kadmin.local on the KDC with sufficient
privilege qualifies as "privileged access to a KDC" :)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
