[33113] in Kerberos
Re: kadmin on a Solaris Client?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Jan 14 17:28:10 2011
Message-ID: <4D30CDF4.3000808@anl.gov>
Date: Fri, 14 Jan 2011 16:28:04 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <87lj2nuqgv.fsf@windlord.stanford.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 1/14/2011 3:26 PM, Russ Allbery wrote:> "Draht, Jeffrey"<jdraht@passhe.edu> writes:>>> I’d rather communicate this way if possible?>>> Does the kadmin binary run on a non-kdc Solaris_10 ldap, kerberos>> Client?>>> The KDC and AD Server are Windows 2008.>>> I am having difficulty with keytabs. I’d rather have the Unix Team>> Administer Rather than have the Intel/MS Team Create them?>> Unfortunately, each major Kerberos implementation uses a substantially> different kadmin protocol (well, Heimdal's kadmind server supports most of> the MIT protocol), and Microsoft's AD in particular doesn't use the kadmin> protocol at all.>> You can create something kadmin-like to run on UNIX and create keytabs for> AD if you use LDAP to create the object in AD and set its password and> then generate a key from the same password. I don't know if anyone has> already done that work and provided it in some easy-to-use packaged form,> though.
That would be the msktutil program.http://download.systemimager.org/~finley/msktutil/Supports AES and AD 2008. Can also run on Solaris.
The Solaris adjoin script in effect does this too.
But from our previous e-mails, if what you are trying to do iscreate a keytab for a user for SAP, and the user is already in AD,all you need is/usr/bin/ktutil that comes with Solaris:
Assuming the xf1adm@LAB-PASSHE.LCL is in AD with a know password,This could create a keytab for it. The use can do it them selves:
% ktutilktutil: addent -password -p xf1adm@LAB-PASSHE.LCL -k 2 -e arcfour-hmac-md5Password for xf1adm@LAB-PASSHE.LCL:ktutil: wkt /tmp/test.keytabktutil: q
% klist -k -e -t /tmp/test.keytabKeytab name: FILE:/tmp/test.keytabKVNO Timestamp Principal---- ----------------- --------------------------------------------------------- 2 01/14/11 16:21:04 xf1adm@LAB-PASSHE.LCL (ArcFour with HMAC/md5)
Store it in some other location then /tmp, on a local disk readableonly be the user.
Looking at you previous notes, you where trying to usexf1adm@passhe.edu. Is it really xf1adm@LAB-PASSHE.LCL?
If not, see my comments about uppercase realm names even ifWindows is case insensitive, and are you really trying to docross realm between LAB-PASHE.LCL and passhe.edu?
>
--
Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
