akshar kanak wrote:
> Dear Team > Is it possible to directly extract the service keys (secrect key > shared between KDC and target server) from windows 2003 Domain Controller or > Active directory for SPN cifs,smtpsvc,rpc, host etc and place them in > keytab files which can be merged with Linux keytab file instead of > adding new service to the AD using ktpass.exe. AD does not store the keys, but a password associated with the account. Thus the UPN and all the SPNs for the account share the same key. Thus AD can generate a key for any crypto on the fly. If a salt is needed it is taken from the SAMAccountName on W2k and from the UPN on W2K3. So if you change the account password, all the keys change too. In addition to the list of programs Michael listed, there is also msktutil writen by Dan Perry. Google for msktutil to find a version. For example: http://download.systemimager.org/~finley/msktutil/ Msktutil run on unix, uses OpenLDAP with SASL to authenticate to AD as an admin to add accounts and principals to the accounts, and maintain keytabs. > > Thanks and Regards > Akshar > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
