I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the "password flag". I am not sure how to do this though?
Can I enter the password for kinit
without it prompting me?
For example currently:
If I type in:
$ kinit test@REALM
I get response:
test@REALM's password:
and I have to enter the password. Is there anyway I can input something like kinit test@REALM password so it doesn't prompt me?
The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit . By default, on Windows, a cache file named USER_HOME \krb5cc_ USER_NAME is generated. The identifier USER_HOME is obtained from the java. lang.
kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.
The kinit command obtains or renews a Kerberos ticket-granting ticket. The Key Distribution Center (KDC) options specified by the [kdcdefault] and [realms] in the Kerberos configuration file (kdc. conf) are used if you do not specify a ticket flag on the command line.
Also you can
$ echo 'password' | kinit username
Use a keytab for that principal!
In detail: How do I a service keytab.
There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.conf
is properly configured.
Install msktutil(1)
via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.
Now run mskutil
:
$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
--old-account-password <password> --dont-change-password --keytab <path>
Replace samAccountName
and password
with your data. Leave out dont-change-password
if you are fine with autogenerated passwords. Adjust path
where you want to store the keytab file.
Sample run:
$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
> --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
-- execute: Skipping creation of new password
-- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
-- validate: Found DC: dc01.ad.example.com. Checking availability...
-- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: uawet8er
-- try_machine_password: Trying to authenticate for uawet8er with password
-- create_default_machine_password: Default machine password for uawet8er is uawet8er
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
-- try_machine_password: Authentication with password failed
-- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
-- finalize_exec: Authenticated using method 6
-- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
-- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
-- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
-- ldap_check_account: Checking that a service account for uawet8er exists
-- ldap_check_account: Checking service account - found
-- ldap_check_account: Found userAccountControl = 0x200
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found User Principal: uawet8er
-- ldap_check_account_strings: Inspecting (and updating) service account attributes
-- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
-- ldap_get_kvno: KVNO is 8
-- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
-- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
-- update_keytab: Updating all entries for uawet8er
-- add_principal_keytab: Adding principal to keytab: uawet8er
-- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: uawet8er
-- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_keytab_entries: Trying to add missing entries for uawet8er to keytab
Now check your keytab with kinit
:
$ kinit -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: [email protected]
Valid starting Expires Service principal
24.07.2019 13:15:45 24.07.2019 23:15:45 krbtgt/[email protected]
erneuern bis 25.07.2019 13:15:45
This keytab is now ready to be used with your login.conf
for JGSS or with KRB5_CLIENT_KTNAME
and MIT Kerberos.
Create a keytab using "ktutil"
> ktutil
ktutil: addent -password -p [email protected] -k 1 -e rc4-hmac
Password for [email protected]: [enter your password]
ktutil: addent -password -p [email protected] -k 1 -e aes256-cts
Password for [email protected]: [enter your password]
ktutil: wkt username.keytab
ktutil: quit
# Below steps will will create a keytab for the user, move it into a secure directory,
and automatically get a ticket when the user logs in with a bash shell
mkdir /home/username/keytabs
chmod 700 /home/username/keytabs
mv username.keytab /home/username/keytabs
chmod 600 /home/username/keytabs/username.keytab
echo "kinit -kt /home/username/keytabs/username.keytab [email protected]" >> /home/username/.bash_profile
Command to pass keytab and login
kinit [email protected] -k -t /path/to/username.keytab
Reference link hortonworks kb.iu.edu
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With