[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows machine accounts and keytabs

Michael B Allen wrote:
> On Mon, 14 Jan 2008 14:51:37 +0100
> cyrus@univ-paris4.fr wrote:
>> Hello,
>> When configuring a Windows workstation to use a Heimdal KDC ( 
>> http://www.pdc.kth.se/heimdal/heimdal.html#Configuring-Windows-2000-to-use-a-Heimdal-KDC 
>> ), you issue the command ksetup /setmachpassword.
>> I have two questions about this command :
>> 1) where is this "machine password" stored in the system( the windows 
>> registry ? SAM ? ) ?
> Somewhere you can't get to it.
If only that were true.  Open "regedit.exe" under the SYSTEM account.
>> 2) is it possible to generate a host/hostname.example.com principal with 
>> a random-key on the KDC, extract to a keytab, and import this keytab 
>> into the workstation without having to enter a password ?
> No. There's no way to import or export a keytab representing the machine
> account of a Windows workstation.
Windows workstations generate the key on the fly from the machine 
password which is stored on the machine in the registry.   What you 
would require is a "generate a random password" function and then set 
that password on the Windows system.

S/MIME Cryptographic Signature