[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Windows machine accounts and keytabs
On Mon, 14 Jan 2008 21:14:40 -0500
Jeffrey Altman <firstname.lastname@example.org> wrote:
> Michael B Allen wrote:
> > On Mon, 14 Jan 2008 14:51:37 +0100
> > email@example.com wrote:
> >> Hello,
> >> When configuring a Windows workstation to use a Heimdal KDC (
> >> http://www.pdc.kth.se/heimdal/heimdal.html#Configuring-Windows-2000-to-use-a-Heimdal-KDC
> >> ), you issue the command ksetup /setmachpassword.
> >> I have two questions about this command :
> >> 1) where is this "machine password" stored in the system( the windows
> >> registry ? SAM ? ) ?
> > Somewhere you can't get to it.
> If only that were true. Open "regedit.exe" under the SYSTEM account.
I see - $MACHINE.ACC. Do people really set that value directly? I don't
recognise the format.
> >> 2) is it possible to generate a host/hostname.example.com principal with
> >> a random-key on the KDC, extract to a keytab, and import this keytab
> >> into the workstation without having to enter a password ?
> > No. There's no way to import or export a keytab representing the machine
> > account of a Windows workstation.
> Windows workstations generate the key on the fly from the machine
> password which is stored on the machine in the registry. What you
> would require is a "generate a random password" function and then set
> that password on the Windows system.
You mean generate a random password and then set it on the KDC and then
also use it to generate the client's $MACHINE.ACC registry entry?
Michael B Allen
PHP Active Directory SPNEGO SSO