To use a computer account in AD for a principal you have to create first a normal computer account (e.g. mmtest) and execute then:
C:\program files\Support Tools>ktpass -out d:\Temp\test1.keytab -pass Test000$ -crypto rc4-hmac-nt /ptype KRB5_NT_SRV_HST -princ te stsvc/[EMAIL PROTECTED] -mapuser [EMAIL PROTECTED] Targeting domain controller: testkdc.test.com Using legacy password setting method Successfully mapped testsvc/moelma.wks.uk.deuba.com to MMTEST$. WARNING: Account MMTEST$ is not a user account (uacflags=0x1021). WARNING: Resetting MMTEST$'s password may cause authentication problems if MMTEST$ is being used as a server. Reset MMTEST$'s password [y/n]? y Key created. Output keytab to d:\Temp\test1.keytab: Keytab version: 0x502 keysize 81 testsvc/[EMAIL PROTECTED] ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x5443b0c1ad573155fa2d95eee1971574) This will create a keytab with a RC4 key which is mapped to a computer account. Any password expiry set for user accounts (e.g. domain wide settings) won't affect the computer account. Regards Markus On Fri May 6 9:34 , jpbermejo <[EMAIL PROTECTED]> sent: >On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote: >> Tim, >> in our setup we use computer accounts instead of user accounts, and don't >> have experienced this issue. I think the latest ktpass can do this with >> mapuser having a $ at the end. > >I don't know about computer accounts, but this DoS is not possible if >you are using service principals. Active Directory doesn't allow login >for service principals, and keytab are only useful to decrypt tickets. >Making an ldap query to AD, you can get things like > >dNSHostName: sist03lnx.domain.com >userPrincipalName: HOST/[EMAIL PROTECTED] >servicePrincipalName: HTTP/sist03lnx.domain.com >servicePrincipalName: HTTP/sist03lnx > >In this case, only HOST/sist03lnx keytab works with `kinit -k`. If you >attempt to get a TGT with the other principals, you get nothing. > >Javier Palacios > > >============================================================================ >This e-mail message and any attached files are intended SOLELY for the addressee/s identified >herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not > necessarily represent the opinion of this company. If you receive this message in ERROR, >please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use, > disclose, distribute, print or copy all or part of the contained information. Thank you. >============================================================================ > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos