kerberos integration with Active Directory(2000) on HP-UX

This is what I did to setup our HP UX11i box with Kerberos integration with AD

  1. create a service type user account in AD. In the case below the username is: kermit

  2. Run the ktpass command on a domain controller using the syntax below.

  3. Copy the krb5.keytab file to the HPUX box under /etc/krb5.keytab

  4. Edit the /etc/krb5.conf file, pointing to the correct domain and domain controller.

ktpass utility is included in the Windows 2000 support tools.

On domain controller:

E:\>ktpass -princ host/amisys@MYDOMAIN.COM -mapuser kermit -pass ***** -out krb5.keytab

Successfully mapped host/mybox to kermit.

Key created.

Output keytab to krb5.keytab:

Keytab version: 0x502

keysize 49 host/mybox@MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (D

ES-CBC-CRC) keylength 8 (0x10ade54f832551ba)

Account has been set for DES-only encryption.

copied krb5.keytab to /etc/krb5.keytab and set owner: root:sys and permissions: 600

copied pam.krb5 to /etc/pam.conf

Setup Kerberos config file:


default_realm = MYDOMAIN.COM

default_tgs_enctypes = DES-CBC-CRC

default_tkt_enctypes = DES-CBC-CRC

ccache_type = 2



kdc = camelot.MYDOMAIN.COM:88

kpasswd_server = camelot.MYDOMAIN.COM:464



.mydomain.com = MYDOMAIN.COM


kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmin.log

default = FILE:/var/log/krb5lib.log

chmod 644 /etc/krb5.conf

No comments: