This is what I did to setup our HP UX11i box with Kerberos integration with AD
create a service type user account in AD. In the case below the username is: kermit
Run the ktpass command on a domain controller using the syntax below.
Copy the krb5.keytab file to the HPUX box under /etc/krb5.keytab
Edit the /etc/krb5.conf file, pointing to the correct domain and domain controller.
ktpass utility is included in the Windows 2000 support tools.
On domain controller:
E:\>ktpass -princ host/amisys@MYDOMAIN.COM -mapuser kermit -pass ***** -out krb5.keytab
Successfully mapped host/mybox to kermit.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 49 host/mybox@MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (D
ES-CBC-CRC) keylength 8 (0x10ade54f832551ba)
Account has been set for DES-only encryption.
copied krb5.keytab to /etc/krb5.keytab and set owner: root:sys and permissions: 600
copied pam.krb5 to /etc/pam.conf
Setup Kerberos config file:
[libdefaults]
default_realm = MYDOMAIN.COM
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
MYDOMAIN.COM = {
kdc = camelot.MYDOMAIN.COM:88
kpasswd_server = camelot.MYDOMAIN.COM:464
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
chmod 644 /etc/krb5.conf
No comments:
Post a Comment