[31351] in Kerberos
Re: Authenticating debian users against AD
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Aug 10 11:40:48 2009
Message-ID: <4A803F67.4060308@anl.gov>
Date: Mon, 10 Aug 2009 10:40:23 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@noopy.org
In-Reply-To: <cba4e37e0908100742r1ce46855gb399ef479d88a6fc@mail.gmail.com>
Cc: jarek <jarek@nospam.pl>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
kerberos@noopy.org wrote:
> On Mon, Aug 10, 2009 at 9:39 AM, Douglas E. Engert<deengert@anl.gov> wrote:
>>
>> Javier Palacios wrote:
>>> Personally, I got many problems while using ktpass to create a keytab.
>> We don't use it either, but msktutil instead. But Jarek was using ktpass
>> so my suggestion was to understand what is going on under the covers
>> and use ktpass correctly.
>
> I like msktutil a lot but it's not always the case that one has rights
> to change objects in AD.
Then all of these tools are all but useless, as the intent is to create
a keytab that matches what is in AD. Most of these tools will change the password
to a random password, update AD, and create a keytab at the same time.
The password and the msDS-KeyVersionNumber in AD must be in sync with the the
key and KVNO in the keytab for Kerberos to work.
So only of you knew the password, KeyVersionNumber and salt could
you create a keytab that matched. I don't think that is his case.
If it was he could also use ktutil to create a keytab.
> ktpass.exe (when used w/SP2 under Windows
> 2003) *can* simplify the process of keytab creation but OTOH I don't
> think it solves the problem entirely/completely.
I think his problem was misunderstanding of how Kerberos works.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
