As a function of binding a Mac OS X machine to the domain, as of 10.4 and later, the directory service plug-in creates a /etc/krb5.keytab with serviceprincipals for the machine. Now, in theory, there are at least two services (neither of which are available at the moment), where the machine itself is the client and needs to authenticate itself to another machine: (1) Dynamic DNS via GSS-TSIG, and (2) other machines running IPsec via Kerberos-based IKE. If this were a user principal, I'd have thought I'd need a TGT for the user for which a service principal for the remote machine (either a DNSbox or a IPsec-running peer) in order to perform the authentication, and then subsequently have to renew and/or refresh the TGT as it neared or reached its expiration date so as to continue to perform these operations over time (as a service).

In the keytab world, do you still have to get a TGT for the machine in order to get a service ticket for the remote machines? Can you get it directly via the keytab without entering a password? Or can you go directly from keytab to remote machine service ticket without having to deal with a TGT?

(And furthermore, if there's publicly available documentation and/or web references that describe this, I'd appreciate a pointer.)


Nathan Herring
CoreCLR SDE/Development