-1

I have some AD users, which are linked to a functional group. My question is how to mention this functional group into keytab command? as per my understanding keytab uses AD username and password. Also is it mandatory to mention password in keytab command?

Syntax:

ktpass –princ HTTP/@ -mapuser –pass password -crypto all -ptype KRB5_NT_PRINCIPAL –out

T-Heron
  • 5,385
  • 7
  • 26
  • 52
Satish
  • 19
  • 3
  • 1
    Kerberos manages **authentication**; groups relate to **authorization** and Kerberos has nothing to do with that. Once the user is authenticated, use a LDAP query to retrieve the groups it belongs to. – Samson Scharfrichter Jan 24 '17 at 14:44
  • 1
    The purpose of the keytab _file_ is to **store the password** in a hashed form. What do you mean by keytab _"command"_? – Samson Scharfrichter Jan 24 '17 at 14:46
  • 1
    By keytab "command I mean ktpass command – Satish Jan 25 '17 at 07:11
  • 1
    OK, so if you want to use AD-specific extensions that are not supported by other Kerberos implementations, then make that explicit in your post (title, tags, content). But I would be surprised that anything outside the Microsoft world *(e.g. Weblogic)* will support these abominations. – Samson Scharfrichter Jan 25 '17 at 09:41
  • Did I answer your question? Can you please accept it if I did? – John R Smith Dec 23 '17 at 14:34

1 Answers1

0
  1. The keytab creation syntax does not accept groups as part of the command arguments.
  2. It is not necessary to mention the password IF you use the +rndPass argument, which randomizes the password. You can either randomize the password or specify it, but you have to pick one or the other. You cannot leave it out.
John R Smith
  • 848
  • 7
  • 18