setting kerberos ktpass ktab all that JAAS

Question

I have a couple of questions on Kerberos on Windows.

I want to find out what the purpose of mapping a user to a service using ktpass is.

For example I am on windows and I run ktpass like this:

ktpass -out <keytab location> -princ <host/domain.com> -mapUser userA@domain.com -mapOp add .........

When we map a user to the -princ does it mean that only "userA" can authenticate the service? How do we use the -add and -set option? What is the difference?

My issue is this:

I have:

• Many users wanting to use a service I have, and authenticate through kerberos (JASS Krb5LoginModule)

But:

• I don't want to specify many user principal names in the jaas.config file.

So i am thinking of using SPN instead, and mapping to userA, and userA can only use the service. But i am not sure if this mapping also serve an authorizing purpose.

For sun java's Krb5LoginModule, there is an option useTicketCache.
If i set this to true, does it mean if some user logs in , Krb5loginmodule will use his/her kerberoes credentials that is stored in their computer's memory?
I am asking this because in some other implementation of Krb5loginmodule,
Eg: IBM's, there is no useTicketCache, but there is useCcache, but useCcache needs to specify a ticket location; I don't want to specify this location.

How can it be done in IBm's krb5loginmodule version?

Can I do this:

Normally the keytab file is used for a service principal, but can I use this keytab to store user credential.
Eg: ktab -k mykeytab.keytab -a userA@REALM.COM ? without doing setspn or ktpass?

Answer 1

In AD, Kerberos service principals are associated with AD user or computer objects as servicePrincipalName LDAP attributes, so you have to specify the account to which the principal should be added. This does not determine which users can authenticate to the service (as you were guessing), but rather under which AD account the service itself should run (if it's running on Windows). This is because the service needs the keys for that principal in order to validate the Kerberos tickets it will be sent by users, and it will have access to the keys if it's running under the account to which the principal is attached. This happens automatically on Windows; on Unix, it would typically be arranged manually by the adminstrator creating a keytab file containing the keys, and configuring the service to use it.

For sun java's Krb5LoginModule, there is an option useTicketCache. If i set this to true, does it mean if some user logs in , Krb5loginmodule will use his/her kerberoes credentials that is stored in their computer's memory?

That's the idea, although it works poorly because of Java's choice to embed a complete Kerberos implementation in the JDK rather than use the one provided by the host (there is an option for the latter, but only on Unix and most people don't know about or use it). On Unix, the Java Kerberos package can read an MIT-style ccache but not write to it. On Windows it can read the SSPI ccache (the user's login credentials), but you need to set a registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\allowtgtsessionkey = DWORD 1

... so that Java can get the session key for the TGT in order to use it. This is restricted by default, and not normally needed since a Windows program would normally ask SSPI to perform the operations which need the session key rather than do them itself.

Normally the keytab file is used for a service principal, but can I use this keytab to store user credential.

A keytab stores a set of (principal, key) pairs; it doesn't matter whether the principal is that of a user or a service. You can store the keys corresponding to your password in a keytab (e.g. with the MIT "ktutil" program), and then authenticate with the keytab instead of typing in your password (e.g. with "kinit -k -t"). However, keep in mind that this essentially the same as putting your password in the file, with all that entails in terms of security.