To generate the keytab file and map the service principal name for Domain Services for Windows Serve

0 Likes
 

Environment

 

Novell Open Enterprise Server 2018 SP2

Novell Open Enterprise Server 2018 SP1

Domain Services for Windows

 

Situation

 

Why do we need the keytab file?

How to generate keytab file and map the service principal using dump-keytab tool?

A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the password). You can use a keytab file to authenticate to various remote systems using Kerberos, without entering a password.

Suppose some 100 of DSfW users are using the application like ZENworks. Now we want the authentication by Kerberos for all the users. In this case, we can use the keytab file which contains the pair of service principal name and authentication key. We can generate this keytab file using the dump-keytab tool and can use it for the Kerberos authentication process. We attach the generated keytab to ZENworks control center and login to Windows as any user.

The same login credentials are passed on to the ZENworks client and login happens seamlessly to the Windows workstation with the same user

 

Resolution

 

You can generate the keytab file that contains all service principals of DSfW server by executing the script run-keytab.sh. Generated keytab file contains the pairs of kerberos principal and encryption key for all DSfW  service principals.

If you want to generate the keytab file for a specific service principal of DSfW server then you can generate the keytab for single user principal. The following examples demonstrate the options that generate keytab for single principle, and also for all principles

Please note that principal with “HTTP/” prefix is only generated when we pass parameters.

 

Examples

1 ./run-keytab.sh: To generate keytab file for all service principals.

# ./run-keytab.sh

kdb_xad library exists, creating back-up library.

--------------------------------

Stopping DSfW services

.

Starting DSfW services

.

Keys dumped into /tmp/dsfw.keytab

************ keys will be dumped into /tmp/dsfw-keytab for all principals.***********************

Reverting the system to its original state.

 

# klist -ke /tmp/dsfw.keytab

Keytab name: FILE:/tmp/dsfw.keytab

KVNO Principal

---- -----------------------------------------------

   3 u1@DSFW.EDU (arcfour-hmac)

   3 u1@DSFW.EDU (aes128-cts-hmac-sha1-96)

   

2 ./run-keytab.sh <map-user> <princ-user-name> <tree-admin-pasword>: To generate specific service principal’s keytab.

# ./run-keytab.sh u2 desktop-j3lnhsf novell

kdb_xad library exists, creating back-up library.

--------------------------------

Stopping DSfW services

.

Starting DSfW services

.

Keys dumped into /tmp/dsfw.keytab

************ keys will be dumped into /tmp/dsfw-keytab for princ u1.************************

modifying entry "cn=u2,cn=Users,dc=dsfw,dc=edu"

modifying entry "cn=u2,cn=Users,dc=dsfw,dc=edu"

Reverting the system to its original state.

# klist -ke /tmp/dsfw.keytab

Keytab name: FILE:/tmp/dsfw.keytab

KVNO Principal

------------------------------------------------------------

   2 HTTP/ DESKTOP-J3LNHSF.dsfw.edu@DSFW.EDU (arcfour-hmac)

 

Additional Information

 

In the second case the script will generate keytab file for the service principal and also update this principal as an attribute of the mapped user which is passed as an argument. The names of corresponding attributes are servicePrincipalName and userPrincipalName. 

Following screenshot gives the details :

moali_0-1588074229466.png

We can use this script on any DSfW server.

The above tool can be downloaded from below link:

Labels:

Support Tip
Comment List
Anonymous
Related Discussions
Recommended