Ktpass Remarks

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

KtPass Remarks

Using KtPass

Services running on UNIX systems can be configured with service instance accounts in Active Directory. This allows full interoperability. MIT Kerberos clients and servers on UNIX systems can authenticate by using the Windows Server 2003 Kerberos server, and clients connected to servers running Windows Server 2003 can authenticate to Kerberos services that support GSS API.

Unlike Kerberos principal names, Windows Server 2003 account names do not have multiple parts. For this reason, it is not possible to directly create an account of the name Sample/Unix1.microsoft.com. Such a principal instance is created by using the service principal name mappings.

To generate a UNIX host keytab file, map the principal to the account, and set the host principal password:

  1. Use the Active Directory User and Computers snap-in to create a user account for the UNIX service. For example, create an account with the name SampleUnix1.

  2. Set up an identity mapping for the user account using KtPass by typing a command line that uses this syntax:

    ktpass /princ ***ServiceInstance@REALM*** /mapuser AccountName /pass Password /out Unixmachine.Keytab


    • You cannot map multiple service instances to the same user account.
  3. Merge the keytab file with the /Etc/Krb5.keytab file on the UNIX host.

See Also


Ktpass Overview
Ktpass Syntax
Alphabetical List of Tools
Xcacls Overview
Sidwalker Security Administration Tools
Sidwalk Overview
Showaccs Overview
Sdcheck Overview
Ksetup Overview
Getsid Overview