I have a couple of questions on Kerberos on Windows.
I want to find out what the purpose of mapping a user to a service using ktpass is.
For example I am on windows and I run ktpass like this:
ktpass -out <keytab location> -princ <host/domain.com> -mapUser userA@domain.com -mapOp add .........
When we map a user to the -princ
does it mean that only "userA" can authenticate the service? How do we use the -add
and -set
option? What is the difference?
My issue is this:
I have:
- Many users wanting to use a service I have, and authenticate through kerberos (JASS Krb5LoginModule)
But:
- I don't want to specify many user principal names in the jaas.config file.
So i am thinking of using SPN instead, and mapping to userA, and userA can only use the service. But i am not sure if this mapping also serve an authorizing purpose.
For sun java's Krb5LoginModule, there is an option useTicketCache.
If i set this to true, does it mean if some user logs in , Krb5loginmodule will use his/her kerberoes credentials that is stored in their computer's memory?
I am asking this because in some other implementation of Krb5loginmodule,
Eg: IBM's, there is no useTicketCache, but there is useCcache, but useCcache needs to specify a ticket location; I don't want to specify this location.
How can it be done in IBm's krb5loginmodule version?
Can I do this:
Normally the keytab file is used for a service principal, but can I use this keytab to store user credential.
Eg: ktab -k mykeytab.keytab -a userA@REALM.COM ?
without doing setspn
or ktpass
?