Using Kerberos on UNIX against AD2003 - Kerberos

This is a discussion on Using Kerberos on UNIX against AD2003 - Kerberos ; Hello, I have to build a solution to authenticate users on both Windows and Unix workstations. I have read two tutorials about this subject: * http://publib16.boulder.ibm.com/doc_...eros_intro.htm * http://www.microsoft.com/downloads/d...P%2fOppQ%3d%3d * There is a point I do not understand and I hope ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Using Kerberos on UNIX against AD2003

  1. Using Kerberos on UNIX against AD2003


    Hello,
    I have to build a solution to authenticate users on both Windows and Unix
    workstations. I have read two tutorials about this subject:

    *
    http://publib16.boulder.ibm.com/doc_...eros_intro.htm
    *
    http://www.microsoft.com/downloads/d...P%2fOppQ%3d%3d
    *

    There is a point I do not understand and I hope you could help me. When you
    want to add a UNIX user in AD, you have to create a keytab file on the
    server (with this command: Ktpass -princ hostname/username.xyz.com@MYREALM
    -mapuser username -pass password -out username.keytab), then go to the
    workstation and merge this file with the workstation's keytab file. Here is
    my question: I have 10 workstations, I want to add a new user who could uses
    any of these workstations, Have I to create 10 keytab files and then merge
    them on the 10 workstations ? Actually I am working with more than 30 UNIX
    users/workstations, so I guess you can understand my problem Do I miss
    something ? Is there any easier solutions ?

    Thank you !
    Regards, Benoit.
    --
    View this message in context: http://www.nabble.com/Using-Kerberos....html#a6541923
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Using Kerberos on UNIX against AD2003



    jzm wrote:
    > Hello,
    > I have to build a solution to authenticate users on both Windows and Unix
    > workstations. I have read two tutorials about this subject:
    >
    > *
    > http://publib16.boulder.ibm.com/doc_...eros_intro.htm
    > *
    > http://www.microsoft.com/downloads/d...P%2fOppQ%3d%3d
    > *
    >
    > There is a point I do not understand and I hope you could help me. When you
    > want to add a UNIX user in AD, you have to create a keytab file


    No. The Keytab files are for servers, not users. An AD user is a Kerberos
    user.


    on the
    > server (with this command: Ktpass -princ hostname/username.xyz.com@MYREALM
    > -mapuser username -pass password -out username.keytab),


    The -mapuser is a missleading term. For a server you create in AD what
    looks like a "user" account but it is for the server only. Then the ktpass
    command assigns a Service Principal Name or SPN to the "user" account for
    this service. When you create this "user" account for the service, you can
    pick a name for it (which must be unique in the forest), we have been using
    somthing like -- (we have an entra DNS
    level in most of our names) so if the host was called mylinux.div.anl.gov
    the "username" for the service principal would be host-mylinux-div
    and the SPN would be host/mylinux.div.anl.gov@ANL.GOV
    The commonly used service name is host. There could be others like
    HTTP, pop, cvs, afs or ftp. Using the - allows each to
    have a different account name and SPN.

    So your ktpass should look something like like:

    Ktpass -princ host/hostname.xyz.com@MYREALM
    -mapuser host-hostname -pass password -out hostname.keytab

    > then go to the
    > workstation and merge this file with the workstation's keytab file. Here is
    > my question: I have 10 workstations, I want to add a new user who could uses
    > any of these workstations, Have I to create 10 keytab files and then merge
    > them on the 10 workstations ?


    No. Only add one account for each server.

    > Actually I am working with more than 30 UNIX
    > users/workstations, so I guess you can understand my problem Do I miss
    > something ? Is there any easier solutions ?


    Yes, msktutil and Samba's winbind. Google for msktutil.

    >
    > Thank you !
    > Regards, Benoit.


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread