If you want to validate passwords against Kerberos then you must have a keytab. This is well known. The reason is that the process of obtaining an initial ticket authenticates the user to the KDC, but not the KDC to the host where the user is logging in. So the host has to use the user's initial ticket (which had better be either a TGT or a ticket for a service on the host) to get a service ticket for itself which it can then validate using its keytab.
With AD you need to join the domain to do useful things, well, at least win2k/winxp clients must join the domain to really participate in it. In Windows speak joining a domain really means having a keytab. Non-windows OSs can't fully participate in AD domains anyways, so I suppose that they don't absolutely need a keytab, unless you want to use Kerberos for password validation (in which case see above). Nico On Tue, Jan 29, 2002 at 04:07:57PM -0600, Rick wrote: > Under what circumstances would my host have a shared secret with the KDC? > Note: I moved the keytab file to a directory not in my my path and I could > still kinit the Win2k KDC. I'm still trying to figure out why MS said I > need the keytab file on the unix host. Based on Sean's response I'm > inclined to believe the only reason is that my host would automatically > authenticate with the KDC (if necessary) when someone logs into it. > > If that's true, logically it would make sense that the principal password is > stored in the keytab file. The contents of this file should then be the > same as the result of the encrypt/hash algorithm kinit uses. True? > > If all that's true then it would stand to reason that the file isn't > necessary unless someone logs into my unix host. Let me further qualify > that by adding the exemption of kerberized software that is capable of using > a keytab file to automate authentication. Am I right? > > > > > ""David Lawler Christiansen (NT)"" <[EMAIL PROTECTED]> wrote in > message > news:[EMAIL PROTECTED]. > ntdev.microsoft.com... > > > > > > > From: Nicolas Williams [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, January 29, 2002 6:40 AM > > > > [...] > > > > > In an ActiveDirectory world every host needs a keytab. > > > > AD does not mandate the use of a keytab. However, you need a keytab if > > your host is going to have a shared secret with the KDC, just as you > > would with any other Kerberos Realm. > > > -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
