How to generate keytab for headless AD user
up vote
0
down vote
favorite
I was provided a headless Active Directory user account with a randomly generated password we need to use to access some network resources. Since this headless account will need to be run from an automated job, I'm trying to create a keytab file that can be used with kinit. Since this is a user account, not a service account, and I don't have admin access for AD, I can't use kadmin to create it. Instead, I'm trying to use ktutil to generate the correct keytab file and store it in a secure location. As I understand it, the keytab file just contains the raw encryption keys as produced by a standard string2key Kerberos function based on the user's password and salt. The salt comes from the server in the preauth, but it normally just the username and realm.
I can manually acquire a Kerberos ticket for the user:
kinit headless@REALM
Running klist -e, I see it's using the encryption type aes256-cts-hmac-sha1-96 for the service key and TGT. The kvno is a bit trickier to get, but from Wireshark, I found it's value. Using ktutil, I create the keytab:
# ktutil
add_entry -password -p headless@REALM -k 3 -e aes256-cts-hmac-sha1-96
write_kt headless.keytab
quit
To use the keytab file, I'm running this:
kinit headless@REALM -k -t headless.keytab
However, I get a preauth error trying to get the TGT. From a little research, it sounds like the salt used in Microsoft AD might not be conventional so I tried extracting the salt from Wireshark by carefully examining the salt field from the PA-ETYPE-INFO2 preauth data in the Kerberos server response. Indeed, it included the username and realm, but adding the salt to the ktutil add_entry -s option and it still did not accept it.
What is the correct procedure to create a keytab file on Linux for a headless AD account?
security authentication active-directory kerberos
asked Nov 29 at 2:12
penguin359
8,63423039
add a comment |
up vote
0
down vote
favorite
I was provided a headless Active Directory user account with a randomly generated password we need to use to access some network resources. Since this headless account will need to be run from an automated job, I'm trying to create a keytab file that can be used with kinit. Since this is a user account, not a service account, and I don't have admin access for AD, I can't use kadmin to create it. Instead, I'm trying to use ktutil to generate the correct keytab file and store it in a secure location. As I understand it, the keytab file just contains the raw encryption keys as produced by a standard string2key Kerberos function based on the user's password and salt. The salt comes from the server in the preauth, but it normally just the username and realm.
I can manually acquire a Kerberos ticket for the user:
kinit headless@REALM
Running klist -e, I see it's using the encryption type aes256-cts-hmac-sha1-96 for the service key and TGT. The kvno is a bit trickier to get, but from Wireshark, I found it's value. Using ktutil, I create the keytab:
# ktutil
add_entry -password -p headless@REALM -k 3 -e aes256-cts-hmac-sha1-96
write_kt headless.keytab
quit
To use the keytab file, I'm running this:
kinit headless@REALM -k -t headless.keytab
However, I get a preauth error trying to get the TGT. From a little research, it sounds like the salt used in Microsoft AD might not be conventional so I tried extracting the salt from Wireshark by carefully examining the salt field from the PA-ETYPE-INFO2 preauth data in the Kerberos server response. Indeed, it included the username and realm, but adding the salt to the ktutil add_entry -s option and it still did not accept it.
What is the correct procedure to create a keytab file on Linux for a headless AD account?
security authentication active-directory kerberos
asked Nov 29 at 2:12
penguin359
8,63423039
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I was provided a headless Active Directory user account with a randomly generated password we need to use to access some network resources. Since this headless account will need to be run from an automated job, I'm trying to create a keytab file that can be used with kinit. Since this is a user account, not a service account, and I don't have admin access for AD, I can't use kadmin to create it. Instead, I'm trying to use ktutil to generate the correct keytab file and store it in a secure location. As I understand it, the keytab file just contains the raw encryption keys as produced by a standard string2key Kerberos function based on the user's password and salt. The salt comes from the server in the preauth, but it normally just the username and realm.
I can manually acquire a Kerberos ticket for the user:
kinit headless@REALM
Running klist -e, I see it's using the encryption type aes256-cts-hmac-sha1-96 for the service key and TGT. The kvno is a bit trickier to get, but from Wireshark, I found it's value. Using ktutil, I create the keytab:
# ktutil
add_entry -password -p headless@REALM -k 3 -e aes256-cts-hmac-sha1-96
write_kt headless.keytab
quit
To use the keytab file, I'm running this:
kinit headless@REALM -k -t headless.keytab
However, I get a preauth error trying to get the TGT. From a little research, it sounds like the salt used in Microsoft AD might not be conventional so I tried extracting the salt from Wireshark by carefully examining the salt field from the PA-ETYPE-INFO2 preauth data in the Kerberos server response. Indeed, it included the username and realm, but adding the salt to the ktutil add_entry -s option and it still did not accept it.
What is the correct procedure to create a keytab file on Linux for a headless AD account?
security authentication active-directory kerberos
asked Nov 29 at 2:12
penguin359
8,63423039
I was provided a headless Active Directory user account with a randomly generated password we need to use to access some network resources. Since this headless account will need to be run from an automated job, I'm trying to create a keytab file that can be used with kinit. Since this is a user account, not a service account, and I don't have admin access for AD, I can't use kadmin to create it. Instead, I'm trying to use ktutil to generate the correct keytab file and store it in a secure location. As I understand it, the keytab file just contains the raw encryption keys as produced by a standard string2key Kerberos function based on the user's password and salt. The salt comes from the server in the preauth, but it normally just the username and realm.
I can manually acquire a Kerberos ticket for the user:
kinit headless@REALM
Running klist -e, I see it's using the encryption type aes256-cts-hmac-sha1-96 for the service key and TGT. The kvno is a bit trickier to get, but from Wireshark, I found it's value. Using ktutil, I create the keytab:
# ktutil
add_entry -password -p headless@REALM -k 3 -e aes256-cts-hmac-sha1-96
write_kt headless.keytab
quit
To use the keytab file, I'm running this:
kinit headless@REALM -k -t headless.keytab
However, I get a preauth error trying to get the TGT. From a little research, it sounds like the salt used in Microsoft AD might not be conventional so I tried extracting the salt from Wireshark by carefully examining the salt field from the PA-ETYPE-INFO2 preauth data in the Kerberos server response. Indeed, it included the username and realm, but adding the salt to the ktutil add_entry -s option and it still did not accept it.
What is the correct procedure to create a keytab file on Linux for a headless AD account?
security authentication active-directory kerberos
security authentication active-directory kerberos
asked Nov 29 at 2:12
penguin359
8,63423039
asked Nov 29 at 2:12
penguin359
8,63423039
asked Nov 29 at 2:12
penguin359
8,63423039
asked Nov 29 at 2:12
penguin359
8,63423039
asked Nov 29 at 2:12
penguin359
8,63423039
8,63423039
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f484811%2fhow-to-generate-keytab-for-headless-ad-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
