scoco wrote: > Hi Kerberos experts, > > could anyone help me in addressing this issue since I am a T-O-T-A-L > newbie in Kerberos. > > I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1) > using a windows2003 Active Directory as KDC, and I am compelled to use > the credential of a user different from Solaris' user. >
Never tried Solaris 8 kerberos against AD but Solaris 10 kerberos works well with AD. We have used MIT kerberos on all previous Solaris. > Let's say I work with user appadm on Solaris and user > [EMAIL PROTECTED] in AD. > > AD administrator generated a keytab for my Solaris user in this way: > This is not needed. You are misinterpreting the "mapuser" of the ktpass. The ktpass is used for serivces, not for users. The "mapuser" points to an AD user type account, but the account is used for the service, like host/[EMAIL PROTECTED] You are using kerberos/[EMAIL PROTECTED], that does not look like a user or a service. > Ktpass -princ kerberos/[EMAIL PROTECTED] -mapuser > domuser -pass [passwd of domuser] -out domuser.keytab > > and gave me the domuser.keytab file. Users don't normally have keytab files, only services like sshd, ftpd, rlogind telnetd that al use the same host service principal. But a user can have a keytab file, and the security risks are about the same as storing a password. Position of the keytab is almost as good as possing the password. > > I configured krb5.conf and stored the content of this keytab file in > /etc/krb5/krb5.keytab via ktutil: > > ktutil: rkt domuser.keytab > ktutil: l > slot KVNO Principal > ---- ---- > -------------------------------------------------------------------------- > 1 4 kerberos/[EMAIL PROTECTED] > ktutil: wkt /etc/krb5/krb5.keytab > ktutil: q > If you application is trying to act as a user, you would not want to put the keytab in the system's keytab file that is used by root applications only. Put it in a seperate file. > Now I think my krb5.conf is correct since I am able to get a TGT via > kinit in this way: > kinit kerberos/[EMAIL PROTECTED] > then I enter domuser's password and with klist I can see the TGT. > But I need to obtain the credentials without entering a password since > the kinit command has to be put in the startup script of an > application. So the application is going to act as a user, and initiate sessions to some other service? So I tried this: > > appadm 99% kinit -k kerberos/[EMAIL PROTECTED] > kinit: Key table entry not found while getting initial credentials > > :-S ...nothing useful found till now to explain this... what's wrong? > Any help appreciated. Could be a Solaris 8 SEAM problem. > Thanks in advance! :D > Sandro > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
