How to write script for ktutil
Carfield Yim
on Windows Active directory. The tool ktutil can let us do that
manually on solaris. However, look like there is no way to put the
command ktutil in a script, I tried to put all the command, as well as
passwords, in the file "input.txt" , and run
cat input.txt | ktutil
However, ktutil will complaint about : "addent: Cannot read password
while adding new entry"
Anyway I can put that in a script? From some web search there is a
perl module Authen-Krb5-Admin for this task, but the corresponding
documentation is not much, will anyone have good pointer about that?
Or I can simply do that using shell script?
Ubaid Rahman
/usr/krb5/sbin/ktutil <<EOF
rkt $DIR/keytabs/$HOST.keytab
wkt /etc/krb5/krb5.keytab
list
exit
EOF
Ubaid Rahman
Senior AIX Administrator
SCS C&ES Infrastructure
Admin 1 # 146E
Ph # *.703.2817 (internal) or 919.483.2817 (external)
# 919.314.7177 (cell)
-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On Behalf Of kerberos...@mit.edu
Sent: Thursday, May 19, 2011 12:03 PM
To: kerb...@mit.edu
Subject: Kerberos Digest, Vol 101, Issue 14
Send Kerberos mailing list submissions to
kerb...@mit.edu
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
kerberos...@mit.edu
You can reach the person managing the list at
kerbero...@mit.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."
Today's Topics:
1. Re: BUG Report : 'krb5.ini' not found on Windows. (Weijun Wang)
2. How to write script for ktutil (Carfield Yim)
3. How to buil Kerberos for windows (Dao, Khanh (IS))
4. Instant Messaging client-server solution? (Jaap Winius)
5. Re: Instant Messaging client-server solution? (Russ Allbery)
6. Re: Instant Messaging client-server solution? (Dax Kelson)
----------------------------------------------------------------------
Message: 1
Date: Wed, 18 May 2011 11:49:05 +0800
From: Weijun Wang <weiju...@oracle.com>
Subject: Re: BUG Report : 'krb5.ini' not found on Windows.
To: jal...@secure-endpoints.com
Cc: kerb...@mit.edu
Message-ID: <4DD341B1...@oracle.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 05/18/2011 02:43 AM, Jeffrey Altman wrote:
> Application specific configuration files do not belong in \WINDOWS.
> The correct place for krb5.ini is \ProgramData\Kerberos\krb5.ini which
> requires that the environment variable KRB5_CONFIG be set to refer to
> that file.
>
> I do not know whether or not Java will pay attention to the environment
> variable.
We are not reading this environment variable, will consider adding it.
So, the logic will be
1. If java system property java.security.krb5.conf set, use it
2. If KRB5_CONFIG set, use it
3. If $JRE/lib/security/krb5.conf exists, use it
4. If Windows:
a) If there is krb5.ini in GetWindowsDirectory, use it
b) If there is krb5.ini in GetSystemWindowsDirectory, use it
c) Use USERDNSDOMAIN and LOGONSERVER environment variables
5. If *nix:
a) If Solaris, try /etc/krb5/krb5.conf
b) Otherwise, try /etc/krb5.conf
c) Use DNS
Thanks
Weijun
>
> Jeffrey Altman
>
>
> On 5/17/2011 6:53 AM, Onkesh Bansal wrote:
>> Hello,
>>
>>
>>
>> Configuration>>
>>
>>>>> Windows 2008 R2 (Service Pack 1) workstation.
>>
>>
>>
>> I am having this problem on my machine and am not able to figure out
>> what is the root cause.
>>
>> The scenario seems with Terminal Services installed on the system and
>> when the authentication has to be done via the LDAP over the local
>> network.
>>
>>
>> This BUG has been logged with ORACLE-JAVA at
>> http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already
>> provided with a work around.
>>
>> My Query is:
>>
>> 1. What is the reason behind this bug. I need to know the root
>> cause for this.
>>
>> 2. What should be my steps (apart from the workaround provided
>> with the bug resolution) so as to prevent any future re-occurrences?
>> ie I need a fix.
>>
>> 3. Can it be related to the version changes of Kerberos or is it
>> because of Windows 2008?
>>
>>
>>
>> Thanks& Regards,
>>
>> Onkesh Bansal
>>
>> Engineer-1 QA,
>>
>> Quark Media House (P) Ltd.
>>
>> oba...@quark.com
>>
>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
------------------------------
Message: 2
Date: Wed, 18 May 2011 02:44:03 -0700 (PDT)
From: Carfield Yim <carf...@gmail.com>
Subject: How to write script for ktutil
To: kerb...@mit.edu
Message-ID:
<75285564-eee9-4a0d...@d19g2000prh.googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
cat input.txt | ktutil
------------------------------
Message: 3
Date: Wed, 18 May 2011 19:43:17 +0000
From: "Dao, Khanh (IS)" <khan...@ngc.com>
Subject: How to buil Kerberos for windows
To: "kerb...@mit.edu" <kerb...@mit.edu>
Message-ID:
<1FA88A9D6D15044191C...@XMBC3085.northgrum.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
I am seeking the info how to build latest Kerberos 5 Release 1.9.1 for windows. Following the instruction I got
C:\Program Files\Microsoft SDKs\Windows\v6.1\include\ntstatus.h(11618) : warning
C4005: 'STATUS_SXS_INVALID_DEACTIVATION' : macro redefinition
C:\Program Files\Microsoft SDKs\Windows\v6.1\include\winnt.h(1857) : see
previous definition of 'STATUS_SXS_INVALID_DEACTIVATION'
..\..\..\config\rm.bat ..\obj\i386\dbg\ccache.lst
..\..\..\util\windows\obj\i386\dbg\libecho -p ccache\ obj\i386\dbg\*.obj
ccapi\obj\i386\dbg\*.obj > ..\obj\i386\dbg\ccache.lst
NMAKE : fatal error U1077: 'for' : return code '0x15a3e8'
Stop.
NMAKE : fatal error U1077: 'for' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'for' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'for' : return code '0x1'
Stop.
Is there any installer for Windows for latest Kerberos 5 Release 1.9.1 ?
Thanks
Khanh Dao
Software Engineer
Northrop Grumman Information Systems, Inc.
Defense Mission Systems Division
Airbone & Maritime System (AMS)
9326 Spectrum Center Blvd., Mail Stop CA222/1138
San Diego, CA 92123
858-514-9177
Fax: 858-514-9010
------------------------------
Message: 4
Date: Wed, 18 May 2011 02:29:32 +0200
From: Jaap Winius <jwi...@umrk.nl>
Subject: Instant Messaging client-server solution?
To: kerb...@mit.edu
Message-ID: <20110518022932....@bitis.umrk.nl>
Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed"
Hi folks,
Can anyone recommend and an Instant Messaging solution, client and
server, that plays nice with Kerberos 5?
The group of people I would be setting it up for all recently switched
from using Windows XP workstations to Debian squeeze with Xfce.
They're still getting used to the environment, so I don't want to
offend their sensibilities too much with an IM client that is too
minimal. They currently would prefer to use Pidgin, but are still
flexible.
Their network consists of three geographically separate locations,
each with its own Debian squeeze server that includes an iptables
firewall and NAT, as well as IPv6 (and another firewall for that). The
three servers communicate with each other via the Internet, but always
through the firewalls (and NATs for IPv4). Zephyr may be a solution,
but I'm not sure it would work with the NATs.
Thanks,
Jaap
------------------------------
Message: 5
Date: Wed, 18 May 2011 13:21:56 -0700
From: Russ Allbery <r...@stanford.edu>
Subject: Re: Instant Messaging client-server solution?
To: kerb...@mit.edu
Message-ID: <87pqnfe...@windlord.stanford.edu>
Content-Type: text/plain; charset=us-ascii
Jaap Winius <jwi...@umrk.nl> writes:
> Can anyone recommend and an Instant Messaging solution, client and
> server, that plays nice with Kerberos 5?
For client, Pidgin works well with GSS-API and is cross-platform. For
server, we ended up using OpenFire, but I know there are others out there
that can also do GSS-API.
OpenFire has the drawback that it's written in Java and uses a completely
bizarre configuration mechanism that we had a lot of trouble with. You
also have to fiddle with it a bit to get GSS-API to work properly. It
wasn't an entirely obvious deployment, unfortunately.
--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
------------------------------
Message: 6
Date: Wed, 18 May 2011 14:40:24 -0600
From: Dax Kelson <dke...@gurulabs.com>
Subject: Re: Instant Messaging client-server solution?
To: Jaap Winius <jwi...@umrk.nl>
Cc: kerb...@mit.edu
Message-ID: <1305751224....@mentor.gurulabs.com>
Content-Type: text/plain; charset="UTF-8"
On Wed, 2011-05-18 at 02:29 +0200, Jaap Winius wrote:
> Hi folks,
>
> Can anyone recommend and an Instant Messaging solution, client and
> server, that plays nice with Kerberos 5?
We used Pidgin and OpenFire in our office. Works well. Was pretty
straightforward to configure.
Dax Kelson
Guru Labs
------------------------------
_______________________________________________
Kerberos mailing list
Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
End of Kerberos Digest, Vol 101, Issue 14
*****************************************
Carfield Yim
I try to have something like
/usr/krb5/sbin/ktutil <<EOF
addent -password -p TESTUSER@TESTHOST -k 1 -e rc4-hmac
TESTPASSWORD
write_kt /tmp/test.keytab
list
exit
EOF
But it also complaint with "
addent: Cannot read password while adding new entry
"
On May 20, 12:20 am, Ubaid Rahman <ubaid.u.rah...@gsk.com> wrote:
> Here is a way I've been using..
>
> /usr/krb5/sbin/ktutil <<EOF
> rkt $DIR/keytabs/$HOST.keytab
> wkt /etc/krb5/krb5.keytab
> list
> exit
> EOF
>
> Ubaid Rahman
> Senior AIX Administrator
> SCS C&ES Infrastructure
> Admin 1 # 146E
> Ph # *.703.2817 (internal) or 919.483.2817 (external)
> # 919.314.7177 (cell)
>
>
>
>
>
>
>
> -----Original Message-----
> From:kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Ofkerberos-requ...@mit.edu
> Sent: Thursday, May 19, 2011 12:03 PM
> To: kerbe...@mit.edu
> Subject:KerberosDigest, Vol 101, Issue 14
>
> SendKerberosmailing list submissions to
> kerbe...@mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help' to
>
> You can reach the person managing the list at
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents ofKerberosdigest..."
>
> Today's Topics:
>
> 1. Re: BUG Report : 'krb5.ini' not found on Windows. (Weijun Wang)
> 2. How to write script for ktutil (CarfieldYim)
> 3. How to builKerberosfor windows (Dao, Khanh (IS))
> 4. Instant Messaging client-server solution? (Jaap Winius)
> 5. Re: Instant Messaging client-server solution? (Russ Allbery)
> 6. Re: Instant Messaging client-server solution? (Dax Kelson)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 18 May 2011 11:49:05 +0800
> From: Weijun Wang <weijun.w...@oracle.com>
> Subject: Re: BUG Report : 'krb5.ini' not found on Windows.
> To: jalt...@secure-endpoints.com
> Cc: kerbe...@mit.edu
> >>http://bugs.sun.com/view_bug.do?bug_id=6793475and they have already
> >> provided with a work around.
>
> >> My Query is:
>
> >> 1. What is the reason behind this bug. I need to know the root
> >> cause for this.
>
> >> 2. What should be my steps (apart from the workaround provided
> >> with the bug resolution) so as to prevent any future re-occurrences?
> >> ie I need a fix.
>
> >> 3. Can it be related to the version changes ofKerberosor is it
> >> because of Windows 2008?
>
> >> Thanks& Regards,
>
> >> Onkesh Bansal
>
> >> Engineer-1 QA,
>
> >> Quark Media House (P) Ltd.
>
> >> oban...@quark.com
>
> >> ________________________________________________
> >>Kerberosmailing list Kerbe...@mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>
> > ________________________________________________
> >Kerberosmailing list Kerbe...@mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ------------------------------
>
> Message: 2
> Date: Wed, 18 May 2011 02:44:03 -0700 (PDT)
> From:CarfieldYim <carfi...@gmail.com>
> Subject: How to write script for ktutil
> To: kerbe...@mit.edu
> Message-ID:
> <75285564-eee9-4a0d-be1b-9220682ce...@d19g2000prh.googlegroups.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> We need to automatically generateKerberosKeytab at Solaris machine
> on Windows Active directory. The tool ktutil can let us do that
> manually on solaris. However, look like there is no way to put the
> command ktutil in a script, I tried to put all the command, as well as
> passwords, in the file "input.txt" , and run
>
> cat input.txt | ktutil
>
> However, ktutil will complaint about : "addent: Cannot read password
> while adding new entry"
>
> Anyway I can put that in a script? From some web search there is a
> perl module Authen-Krb5-Admin for this task, but the corresponding
> documentation is not much, will anyone have good pointer about that?
> Or I can simply do that using shell script?
>
> ------------------------------
>
> Message: 3
> Date: Wed, 18 May 2011 19:43:17 +0000
> From: "Dao, Khanh (IS)" <khanh....@ngc.com>
> Subject: How to builKerberosfor windows
> To: "kerbe...@mit.edu" <kerbe...@mit.edu>
> Message-ID:
> <1FA88A9D6D15044191C3B2BCAFCC00CB064...@XMBC3085.northgrum.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
> I am seeking the info how to build latestKerberos5 Release 1.9.1 for windows. Following the instruction I got
>
> C:\Program Files\Microsoft SDKs\Windows\v6.1\include\ntstatus.h(11618) : warning
> C4005: 'STATUS_SXS_INVALID_DEACTIVATION' : macro redefinition
> C:\Program Files\Microsoft SDKs\Windows\v6.1\include\winnt.h(1857) : see
> previous definition of 'STATUS_SXS_INVALID_DEACTIVATION'
> ..\..\..\config\rm.bat ..\obj\i386\dbg\ccache.lst
> ..\..\..\util\windows\obj\i386\dbg\libecho -p ccache\ obj\i386\dbg\*.obj
> ccapi\obj\i386\dbg\*.obj > ..\obj\i386\dbg\ccache.lst
> NMAKE : fatal error U1077: 'for' : return code '0x15a3e8'
> Stop.
> NMAKE : fatal error U1077: 'for' : return code '0x1'
> Stop.
> NMAKE : fatal error U1077: 'for' : return code '0x1'
> Stop.
> NMAKE : fatal error U1077: 'for' : return code '0x1'
> Stop.
>
> Is there any installer for Windows for latestKerberos5 Release 1.9.1 ?
>
> Thanks
> Khanh Dao
> Software Engineer
> Northrop Grumman Information Systems, Inc.
> Defense Mission Systems Division
> Airbone & Maritime System (AMS)
> 9326 Spectrum Center Blvd., Mail Stop CA222/1138
> San Diego, CA 92123
> 858-514-9177
> Fax: 858-514-9010
>
> ------------------------------
>
> Message: 4
> Date: Wed, 18 May 2011 02:29:32 +0200
> From: Jaap Winius <jwin...@umrk.nl>
> Subject: Instant Messaging client-server solution?
> To: kerbe...@mit.edu
> Message-ID: <20110518022932.11396as5584mr...@bitis.umrk.nl>
> Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed"
>
> Hi folks,
>
> Can anyone recommend and an Instant Messaging solution, client and
> server, that plays nice withKerberos5?
>
> The group of people I would be setting it up for all recently switched
> from using Windows XP workstations to Debian squeeze with Xfce.
> They're still getting used to the environment, so I don't want to
> offend their sensibilities too much with an IM client that is too
> minimal. They currently would prefer to use Pidgin, but are still
> flexible.
>
> Their network consists of three geographically separate locations,
> each with its own Debian squeeze server that includes an iptables
> firewall and NAT, as well as IPv6 (and another firewall for that). The
> three servers communicate with each other via the Internet, but always
> through the firewalls (and NATs for IPv4). Zephyr may be a solution,
> but I'm not sure it would work with the NATs.
>
> Thanks,
>
> Jaap
>
> ------------------------------
>
> Message: 5
> Date: Wed, 18 May 2011 13:21:56 -0700
> From: Russ Allbery <r...@stanford.edu>
> Subject: Re: Instant Messaging client-server solution?
> To: kerbe...@mit.edu
> Message-ID: <87pqnfep3v....@windlord.stanford.edu>
> Content-Type: text/plain; charset=us-ascii
>
> Jaap Winius <jwin...@umrk.nl> writes:
>
> > Can anyone recommend and an Instant Messaging solution, client and
> > server, that plays nice withKerberos5?
>
> For client, Pidgin works well with GSS-API and is cross-platform. For
> server, we ended up using OpenFire, but I know there are others out there
> that can also do GSS-API.
>
> OpenFire has the drawback that it's written in Java and uses a completely
> bizarre configuration mechanism that we had a lot of trouble with. You
> also have to fiddle with it a bit to get GSS-API to work properly. It
> wasn't an entirely obvious deployment, unfortunately.
>
> --
> Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 18 May 2011 14:40:24 -0600
> From: Dax Kelson <dkel...@gurulabs.com>
> Subject: Re: Instant Messaging client-server solution?
> To: Jaap Winius <jwin...@umrk.nl>
> Cc: kerbe...@mit.edu
> Message-ID: <1305751224.2681.3.ca...@mentor.gurulabs.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Wed, 2011-05-18 at 02:29 +0200, Jaap Winius wrote:
> > Hi folks,
>
> > Can anyone recommend and an Instant Messaging solution, client and
> > server, that plays nice withKerberos5?
>
> We used Pidgin and OpenFire in our office. Works well. Was pretty
> straightforward to configure.
>
> Dax Kelson
> Guru Labs
>
> ------------------------------
>
> _______________________________________________Kerberosmailing list
> Kerbe...@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
>
> End ofKerberosDigest, Vol 101, Issue 14
> *****************************************
Carfield Yim
Other than that, SebastianUnger think we can use "sleep" in shell script to archive that:
{
echo "addent -password -p ${PRINCIPAL} -k ${KVNO} -e des-cbc-crc"
sleep 1
echo "${PASSWORD}"
sleep 1
wkt new.keytab
} |
ktutil
But I haven't tried that out