Generating Keyabs for Windows Accounts on Linux

Mon, 26 Mar 2007 08:16:41 -0800 

Hello,

>From time to time I've seen people asking about generating keytabs on
Windows with ktpass.exe for UNIX and Linux services. Our new product
(which is free for up to 25 users) is a PHP extension for Linux that
can communicate with Active Directory to perform a variety of tasks. One
of the functions in this extension is called plexcel_gen_service_keytab
and is defined as:

  bool plexcel_gen_service_keytab(resource $px,
          string $acctname,
          string $password,
          string $keytab_path)

The plexcel_gen_service_keytab function creates a keytab file from the
supplied account name and password. The first entry of the keytab file
will have a principal matching the UPN of the named account. Additional
entries will be created for each servicePrincipalName set on the named
account. All cryptographic keys will be the same. The key is generated
from the supplied password. The current enctype and knvo are extracted
from a TGT for the account.

It has occured to us that this could be the basis for a simple
administrative tool used to create accounts and generate service keytab
files for non-Windows systems on Windows networks. In fact, the setup
tool used to install the product can do it now. Below is a listing from
a keytab file I just created with Plexcel Setup without touching the
Windows side (and it created the account as well). I added the SPNs,
set the password and voila the keytab file was created.

  # ktutil -k /tmp/plexcel.keytab list
  /tmp/plexcel.keytab:
  
  Vno  Type              Principal
    2  arcfour-hmac-md5  [EMAIL PROTECTED]
    2  arcfour-hmac-md5  host/[EMAIL PROTECTED]
    2  arcfour-hmac-md5  ftp/[EMAIL PROTECTED]
    2  arcfour-hmac-md5  nfs/[EMAIL PROTECTED]
    2  arcfour-hmac-md5  HTTP/[EMAIL PROTECTED]

If you're interested, it's called Plexcel and is available for download
here (no registration required):

  http://www.ioplex.com/plexcel.html

Again, it's free for 25 user's so a little PHP script used by a few
admins isn't going to trip up the limit.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to