service principal management with Active Directory KDC - Kerberos

This is a discussion on service principal management with Active Directory KDC - Kerberos ; Hi we want to use our Active Directory KDC to manage service principals for nfs and ssh for quite a few Linux and Solaris machines, and would prefer to automate generating the service principals and installing them on the clients. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: service principal management with Active Directory KDC

  1. service principal management with Active Directory KDC


    Hi we want to use our Active Directory KDC to manage service principals
    for nfs and ssh for quite a few Linux and Solaris machines, and would
    prefer to automate generating the service principals and installing them
    on the clients. I was thinking that one way to approach this problem
    could be by installing Cygwin SSH daemon on the Active Directory server.
    Are there any downsides to this?

    The other way I think is to set up a cross-realm trust with an MIT KDC
    and have one MIT kerberos realm for service principals, and use the
    Active Directory for authenticating our user accounts. I haven't tried
    doing this yet, but imagine it's not too hard.

    If anyone has any thoughts or ideas about this, I'd be happy to hear
    them. Thanks!

    Rohit
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: service principal management with Active Directory KDC

    On Tue, 03 Apr 2007 10:17:41 -0400
    Rohit Kumar Mehta wrote:

    >
    > Hi we want to use our Active Directory KDC to manage service principals
    > for nfs and ssh for quite a few Linux and Solaris machines, and would
    > prefer to automate generating the service principals and installing them
    > on the clients.


    > If anyone has any thoughts or ideas about this, I'd be happy to hear
    > them. Thanks!


    Hi Rohit,

    There's a PHP extension for Linux called Plexcel that can create accounts
    in AD, add, modify and delete attributes (e.g. SPNs), set passwords and,
    most importantly, it has the following function:

    bool plexcel_gen_service_keytab(resource $px,
    string $acctname,
    string $password,
    string $keytab_path)

    The plexcel_gen_service_keytab function creates a keytab file from the
    supplied account name and password. The first entry of the keytab file
    will have a principal matching the UPN of the named account. Additional
    entries will be created for each servicePrincipalName set on the named
    account. All cryptographic keys will be the same. The key is generated
    from the supplied password. The current enctype and knvo are extracted
    from a TGT acquired for the account.

    This function was added for the Plexcel Setup utility that the operator
    would not have to do anything on the Windows end to install it. But it has
    occured to us that this could be the basis for a simple administrative
    tool used to generate service keytab files for UNIX services. In fact,
    the Plexcel Setup utility can do it now. Below is a listing from a keytab
    file I created with Plexcel Setup. I added the SPNs, set the password
    and voila the keytab file was created.

    # ktutil -k /tmp/plexcel.keytab list
    /tmp/plexcel.keytab:

    Vno Type Principal
    2 arcfour-hmac-md5 appserver1@FOO.NET
    2 arcfour-hmac-md5 host/appserver1.foo.net@FOO.NET
    2 arcfour-hmac-md5 ftp/fs1.foo.net@FOO.NET
    2 arcfour-hmac-md5 nfs/fs1.foo.net@FOO.NET
    2 arcfour-hmac-md5 HTTP/appserver1.foo.net@FOO.NET

    Of course you don't have to use the same account for all services. This
    is just the way Plexcel Setup works. The API is very easy to use. There's
    a detailed developer's guide with an API reference.

    Also, PHP has an SSH extension that looks like it can scp files around
    (but I've never tried it). And Plexcel fully supports SSO and delegation
    so the said SSH extension should be able to use your creds to do the copy
    so at no time should you have to enter a password or put passwords in
    config files. You just have to access the site with credentials suitable
    for creating accounts in AD.

    Anyway the package is here:

    http://www.ioplex.com/plexcel.html

    Note that even though it's a commercial product, it is free for up to
    25 users so a web utility used by a few admins isn't going to cost you
    a dime. And there's no registration required to download it. We only
    ask that if you have any problems that you let us know so that we can
    make the product better for the paying customers.

    Mike

    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread