0

I have a service which needs to authenticate against another service using Kerberos. Normal credentials expire rather quickly - can I create a keytab or something for the service to get the ticket without password?

I don't have admin for Kerberos server but I do have local admin for AD member.

Maciej Piechotka
  • 667
  • 1
  • 6
  • 14
  • sure, here you see an example how: https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs – natxo asenjo Oct 10 '17 at 18:33
  • @natxoasenjo Thanks. Is there a way to restrict it to one service only? – Maciej Piechotka Oct 11 '17 at 18:45
  • @natxoasenjo Google? But most examples are about adding principal (user@domain) without restricting it to a service - I'd like ideally to allow user@domain to authenticate using keytab to SERVICE/host@domain. Currently I'm not sure if that's even possible as I cannot find place to put SERVICE/host@domain (if it isn't - oh well...) – Maciej Piechotka Oct 11 '17 at 20:59
  • that's not trying ;-). If you want to restrict it to a spn, then you need to add a spn attribute to the ldap object (user/computer). – natxo asenjo Oct 12 '17 at 06:51
  • @natxoasenjo so in short I cannot as I don't have admin right to AD/LDAP/Kerberos. Somehow I don't think trying to pas `--spn` parameter to `add_entry` would help move me forward with this problem ;) – Maciej Piechotka Oct 12 '17 at 08:34

1 Answers1

0

In short, yes, but you're going to need to involve your AD Admin and they are going to have to set an SPN on the user object your keytab refers to.

I know this because we've used a few of these in one of my production environments. Hope it helps you out.

https://technet.microsoft.com/en-us/library/cc731241(v=ws.11).aspx

Kyp
  • 303
  • 1
  • 9