[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows machine accounts and keytabs

To: jaltman@secure-endpoints.com
Subject: Re: Windows machine accounts and keytabs
From: Michael B Allen <miallen@ioplex.com>
Date: Mon, 14 Jan 2008 22:52:15 -0500
Cc: heimdal-discuss@sics.se, cyrus@univ-paris4.fr
In-Reply-To: <478C1710.5090500@secure-endpoints.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <cfb54190712050123v180e3e46gfbe7c031b2a80d6d@mail.gmail.com><20071205104155.GA9773@boogie.lpds.sztaki.hu><cfb54190712050354q4d6d996eg99c11cee0461c227@mail.gmail.com><478B68E9.30204@univ-paris4.fr><20080114115130.fcc9a40c.miallen@ioplex.com><478C1710.5090500@secure-endpoints.com>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Mon, 14 Jan 2008 21:14:40 -0500
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

> Michael B Allen wrote:
> > On Mon, 14 Jan 2008 14:51:37 +0100
> > cyrus@univ-paris4.fr wrote:
> >
> >> Hello,
> >>
> >> When configuring a Windows workstation to use a Heimdal KDC ( 
> >> http://www.pdc.kth.se/heimdal/heimdal.html#Configuring-Windows-2000-to-use-a-Heimdal-KDC 
> >> ), you issue the command ksetup /setmachpassword.
> >> I have two questions about this command :
> >>
> >> 1) where is this "machine password" stored in the system( the windows 
> >> registry ? SAM ? ) ?
> >
> > Somewhere you can't get to it.
> If only that were true.  Open "regedit.exe" under the SYSTEM account.

I see - $MACHINE.ACC. Do people really set that value directly? I don't
recognise the format.

> >> 2) is it possible to generate a host/hostname.example.com principal with 
> >> a random-key on the KDC, extract to a keytab, and import this keytab 
> >> into the workstation without having to enter a password ?
> >
> > No. There's no way to import or export a keytab representing the machine
> > account of a Windows workstation.
> Windows workstations generate the key on the fly from the machine 
> password which is stored on the machine in the registry.   What you 
> would require is a "generate a random password" function and then set 
> that password on the Windows system.

You mean generate a random password and then set it on the KDC and then
also use it to generate the client's $MACHINE.ACC registry entry?

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

References:
- Windows machine accounts and keytabs
  - From: cyrus@univ-paris4.fr
- Re: Windows machine accounts and keytabs
  - From: Michael B Allen <miallen@ioplex.com>
- Re: Windows machine accounts and keytabs
  - From: Jeffrey Altman <jaltman@secure-endpoints.com>

Prev by Date: Re: Windows machine accounts and keytabs
Next by Date: Re: Mixing heimdal and MIT clients.
Prev by thread: Re: Windows machine accounts and keytabs
Next by thread: Mixing heimdal and MIT clients.
Index(es):
- Date
- Thread