On Wed, Nov 01, 2006 at 09:25:38AM -0600, Douglas E. Engert wrote: > > > scoco wrote: > > Hi Kerberos experts, > > > > could anyone help me in addressing this issue since I am a T-O-T-A-L > > newbie in Kerberos. > > > > I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1) > > using a windows2003 Active Directory as KDC, and I am compelled to use > > the credential of a user different from Solaris' user. > > > > Never tried Solaris 8 kerberos against AD but Solaris 10 kerberos works > well with AD. We have used MIT kerberos on all previous Solaris.
Thanks. Solaris 10 has full enctype support as well as TCP support amongst other things that make it play better with AD. > > Let's say I work with user appadm on Solaris and user > > [EMAIL PROTECTED] in AD. > > > > AD administrator generated a keytab for my Solaris user in this way: > > > > This is not needed. You are misinterpreting the "mapuser" of the ktpass. > The ktpass is used for serivces, not for users. The "mapuser" points > to an AD user type account, but the account is used for the service, > like host/[EMAIL PROTECTED] > > You are using kerberos/[EMAIL PROTECTED], that does not look like a user > or a service. > > > Ktpass -princ kerberos/[EMAIL PROTECTED] -mapuser > > domuser -pass [passwd of domuser] -out domuser.keytab > > > > and gave me the domuser.keytab file. > > Users don't normally have keytab files, only services like sshd, > ftpd, rlogind telnetd that al use the same host service principal. > > But a user can have a keytab file, and the security risks are about the > same as storing a password. Position of the keytab is almost as > good as possing the password. > > > > > I configured krb5.conf and stored the content of this keytab file in > > /etc/krb5/krb5.keytab via ktutil: > > > > ktutil: rkt domuser.keytab > > ktutil: l > > slot KVNO Principal > > ---- ---- > > -------------------------------------------------------------------------- > > 1 4 kerberos/[EMAIL PROTECTED] > > ktutil: wkt /etc/krb5/krb5.keytab > > ktutil: q > > > > If you application is trying to act as a user, you would not > want to put the keytab in the system's keytab file that is used > by root applications only. Put it in a seperate file. I agree. /etc/krb5/krb5.keytab should only be readable by root and contain service principal keys. > > Now I think my krb5.conf is correct since I am able to get a TGT via > > kinit in this way: > > kinit kerberos/[EMAIL PROTECTED] > > then I enter domuser's password and with klist I can see the TGT. > > But I need to obtain the credentials without entering a password since > > the kinit command has to be put in the startup script of an > > application. > > So the application is going to act as a user, and initiate sessions > to some other service? > > So I tried this: > > > > appadm 99% kinit -k kerberos/[EMAIL PROTECTED] > > kinit: Key table entry not found while getting initial credentials > > > > :-S ...nothing useful found till now to explain this... what's wrong? > > Any help appreciated. > > Could be a Solaris 8 SEAM problem. What does klist -k show? Are you running as root? -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
