On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible [1].


Nor ist it possible to extract them from MIT krb5 KDCs.

> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a keytab file.


You can build keytabs directly on MIT krb5 systems using the MIT krb5
API, or even interactively with kpasswd and ktutil (an early version of
adjoin [see below] did just that).

Or you could probably just use or adapt Sun's adjoin/ksetpw tools to
your purposes:

http://www.sun.com/bigadmin/features...rberos_s10.jsp
http://www.sun.com/bigadmin/features...rberos_s10.pdf
http://opensolaris.org/os/project/wi...n-s10u4.tar.gz
http://opensolaris.org/os/project/wi...n-s10u5.tar.gz

> Note that you must have at least account operator privilege to set a
> password in AD.


Indeed.

> Mike
>
> [1] There is a freeware utility called ktexport that can extract the
> keys from a DC and dump them into a keytab but it is only (sometimes)
> useful for debugging purposes with WireShark. The resulting keytab is
> not valid for use with any kind of service.


Sure, if you have direct, privileged access to a KDC you could always
extract its keys. Portions of the KDC could run directly in a hardware
keystore, making it really hard to get to the keys, but that's not the
case here.

Nico
--