ktutil get - Kerberos

This is a discussion on ktutil get - Kerberos ; Colleagues, There is a very useful command "ktutil get" in Heimdal. It allows to conveniently join a host into a Kerberos domain, without bothering about transferring the keytab. What is the analogous command in the Solaris Kerberos implementation? -- Victor ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: ktutil get

  1. ktutil get

    Colleagues,

    There is a very useful command "ktutil get" in Heimdal. It allows to
    conveniently join a host into a Kerberos domain, without bothering
    about transferring the keytab.

    What is the analogous command in the Solaris Kerberos implementation?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  2. Re: ktutil get

    Victor Sudakov wrote:

    > There is a very useful command "ktutil get" in Heimdal. It allows to
    > conveniently join a host into a Kerberos domain, without bothering
    > about transferring the keytab.


    > What is the analogous command in the Solaris Kerberos implementation?


    No Solaris Kerberos experts here? Well, what is the analogous command
    in MIT Kerberos?

    TIA.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  3. Re: ktutil get

    Victor Sudakov wrote:

    > > There is a very useful command "ktutil get" in Heimdal. It allows to
    > > conveniently join a host into a Kerberos domain, without bothering
    > > about transferring the keytab.


    > > What is the analogous command in the Solaris Kerberos implementation?


    > No Solaris Kerberos experts here? Well, what is the analogous command
    > in MIT Kerberos?


    Am I asking something stupid? How do you securely transfer a keytab
    for the host principal to the host? "ktutil get" does just that.


    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  4. Re: ktutil get

    Victor Sudakov wrote:
    > Victor Sudakov wrote:
    >
    >
    >>> There is a very useful command "ktutil get" in Heimdal. It allows to
    >>> conveniently join a host into a Kerberos domain, without bothering
    >>> about transferring the keytab.
    >>>

    >
    >
    >>> What is the analogous command in the Solaris Kerberos implementation?
    >>>

    >
    >
    >> No Solaris Kerberos experts here? Well, what is the analogous command
    >> in MIT Kerberos?
    >>

    >
    > Am I asking something stupid? How do you securely transfer a keytab
    > for the host principal to the host? "ktutil get" does just that.
    >
    >
    >

    Is 'kadmin -q "ktadd /tmp/keytab" ' what you're looking for?

    Jason

  5. Re: ktutil get

    On Tue, Aug 05, 2008 at 04:44:54AM +0000, Victor Sudakov wrote:
    > Victor Sudakov wrote:
    >
    > > > There is a very useful command "ktutil get" in Heimdal. It allows to
    > > > conveniently join a host into a Kerberos domain, without bothering
    > > > about transferring the keytab.

    >
    > > > What is the analogous command in the Solaris Kerberos implementation?

    >
    > > No Solaris Kerberos experts here? Well, what is the analogous command
    > > in MIT Kerberos?

    >
    > Am I asking something stupid? How do you securely transfer a keytab
    > for the host principal to the host? "ktutil get" does just that.


    kadmin(1M) is the tool to use to set principal keys and maintain keytab
    files. The kadmin protocol uses RPCSEC_GSS and Kerberos for transport
    protection.

    If you want to move keytab files around securely then use ssh/sftp or
    any other secure file transfer or remote filesystem protocol.

    Nico
    --

  6. Re: ktutil get

    >>
    >> Am I asking something stupid? How do you securely transfer a keytab
    >> for the host principal to the host? "ktutil get" does just that.
    >>

    > Is 'kadmin -q "ktadd /tmp/keytab" ' what you're looking for?


    I think what Victor actually ask is a single command to do something like
    kadmin -q "addprinc -randkey `hostname -f`" && kadmin -q "ktadd `hostame -f`"

    Javier Palacios

  7. Re: ktutil get

    Javier Palacios wrote:
    > >>
    > >> Am I asking something stupid? How do you securely transfer a keytab
    > >> for the host principal to the host? "ktutil get" does just that.
    > >>

    > > Is 'kadmin -q "ktadd /tmp/keytab" ' what you're looking for?


    > I think what Victor actually ask is a single command to do something like
    > kadmin -q "addprinc -randkey `hostname -f`" && kadmin -q "ktadd `hostame -f`"


    http://www.freebsd.org/cgi/man.cgi?query=ktutil
    You run "ktutil get host/A" on host A and it does the following in one
    step:

    1. Contacts the remote kadmind, creates the principal host/A there
    with a random key.
    2. Securely transfers the keys back to host A.
    3. Installs them in host A's keytab.

    which is a very convenient way of joining a host into a Kerberos
    domain. This method does not require any external means to transfer a
    keytab (like ssh or floppy).

    From your replies I guess that this convenient feature is totally
    missing from MIT Kerberos ( or is implemented in a totally different
    manner.


    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  8. Re: ktutil get

    Jason Edgecombe wrote:
    > >
    > >>> There is a very useful command "ktutil get" in Heimdal. It allows to
    > >>> conveniently join a host into a Kerberos domain, without bothering
    > >>> about transferring the keytab.
    > >>>

    > >
    > >
    > >>> What is the analogous command in the Solaris Kerberos implementation?
    > >>>

    > >
    > >
    > >> No Solaris Kerberos experts here? Well, what is the analogous command
    > >> in MIT Kerberos?
    > >>

    > >
    > > Am I asking something stupid? How do you securely transfer a keytab
    > > for the host principal to the host? "ktutil get" does just that.
    > >
    > >
    > >

    > Is 'kadmin -q "ktadd /tmp/keytab" ' what you're looking for?


    I think so, at least according to kadmin(1M) it must be what I am
    looking for.

    It is a pity I cannot check it out because Solaris' kadmin seems to be
    incompatible with FreeBSD's kadmind:
    $ kadmin
    kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU
    $ cat /etc/krb5/krb5.conf
    # by VAS

    [libdefaults]
    default_realm = SIBPTUS.TOMSK.RU
    dns_lookup_kdc = yes
    $
    $ host -t srv _kerberos-adm._tcp.sibptus.tomsk.ru
    _kerberos-adm._tcp.sibptus.tomsk.ru has SRV record 0 0 749 big.sibptus.tomsk.ru.
    $



    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  9. Re: ktutil get

    Nicolas Williams wrote:

    > If you want to move keytab files around securely then use ssh/sftp or
    > any other secure file transfer or remote filesystem protocol.


    I was looking for a method of secure key transfer from the kdc to the
    host's keytab without any external means like ssh/sftp/floppy.

    It seems that "kadmin ktadd" could do this for me if only it were
    compatible with Heimdal's kadmind.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  10. Re: ktutil get

    Victor Sudakov wrote:

    > It is a pity I cannot check it out because Solaris' kadmin seems to be
    > incompatible with FreeBSD's kadmind:
    > $ kadmin
    > kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU


    I see, Solaris kadmin looks for _kerberos-adm._udp.SIBPTUS.TOMSK.RU
    What gives? FreeBSD's kadmind (Heimdal) does not listen on udp, it
    uses 749/tcp.

    Is there a way to make them work together, or is it hopeless?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  11. Re: ktutil get

    On Wed, Aug 06, 2008 at 03:38:27AM +0000, Victor Sudakov wrote:
    > Victor Sudakov wrote:
    >
    > > It is a pity I cannot check it out because Solaris' kadmin seems to be
    > > incompatible with FreeBSD's kadmind:
    > > $ kadmin
    > > kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU

    >
    > I see, Solaris kadmin looks for _kerberos-adm._udp.SIBPTUS.TOMSK.RU
    > What gives? FreeBSD's kadmind (Heimdal) does not listen on udp, it
    > uses 749/tcp.
    >
    > Is there a way to make them work together, or is it hopeless?


    The kadmin protocol is not standard.

    Heimdal's kadmin protocol and MIT's (from which Solaris' derives) are
    incompatible. That said, later today I'll send out program source that
    might help you.

    Nico
    --

  12. Re: ktutil get

    On Wed, Aug 06, 2008 at 10:18:01AM -0500, Nicolas Williams wrote:
    > On Wed, Aug 06, 2008 at 03:38:27AM +0000, Victor Sudakov wrote:
    > > Victor Sudakov wrote:
    > >
    > > > It is a pity I cannot check it out because Solaris' kadmin seems to be
    > > > incompatible with FreeBSD's kadmind:
    > > > $ kadmin
    > > > kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU

    > >
    > > I see, Solaris kadmin looks for _kerberos-adm._udp.SIBPTUS.TOMSK.RU
    > > What gives? FreeBSD's kadmind (Heimdal) does not listen on udp, it
    > > uses 749/tcp.
    > >
    > > Is there a way to make them work together, or is it hopeless?

    >
    > The kadmin protocol is not standard.
    >
    > Heimdal's kadmin protocol and MIT's (from which Solaris' derives) are
    > incompatible. That said, later today I'll send out program source that
    > might help you.


    A while back I wrote a utility for building keytab files when using
    Active Directory as the KDC; it uses the RFC3244 protocol to set the
    "password" of the given principal, so it should work with Heimdal.

    You can find it here:

    http://www.sun.com/bigadmin/features...rberos_s10.jsp

    Nico
    --

  13. Re: ktutil get

    > A while back I wrote a utility for building keytab files when using
    > Active Directory as the KDC; it uses the RFC3244 protocol to set the
    > "password" of the given principal, so it should work with Heimdal.


    It's nice to see a source code sample for this. Up to now I did use
    the binary-only adkadmin from Certified Security Solutions.

    Have anybody tried with the 'Active Directory' mode of heimdal's kadmin ?

    By the way, my tests with W3K R2 Enterprise did show that neither SFU
    nor the Identity management for Unix (which I didn't know) are
    strictly required. The unix schema is actually there, and if you are
    ready for some debugging loops you can do everything with ldapmodify
    from the unix (fedora/ubuntu) box. And as far as I remember, you don't
    need to fix a NIS domain attribute.

    Javier Palacios

+ Reply to Thread