Re: Creating an MIT style keytab for an existing Windows AD membercomputer - Kerberos
This is a discussion on Re: Creating an MIT style keytab for an existing Windows AD membercomputer - Kerberos ; On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
>
> >> Extracting the keys from AD is not possible ...
-
Re: Creating an MIT style keytab for an existing Windows AD membercomputer
On Wed, Jul 23, 2008 at 05:55:20PM -0700, Russ Allbery wrote:
> Nicolas Williams writes:
> > On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
>
> >> Extracting the keys from AD is not possible [1].
>
> > Nor ist it possible to extract them from MIT krb5 KDCs.
>
> It is as of 1.6 using kadmin.local (not that this changes the rest of your
> point).
Right, it doesn't -- running kadmin.local on the KDC with sufficient
privilege qualifies as "privileged access to a KDC" 
