1

I am on Linux and I have a java web application container setup with kerberos. I need this java web application container setup so that it can authenticate with an IIS server protected by siteminder + kerberos.

So on Windows, I have generated a keytab file using 

ktpass -out serviceaccount.keytab -princ serviceaccount@MYDOMAIN.COM -mapUser serviceaccount -mapOp set -pass YOUR_PASSWORD -crypto ALL -pType KRB5_NT_PRINCIPAL

So that gives me serviceaccount.keytab. Great.

But what about on Linux? Can I just use this keytab file that was generated? Or do I have to run this process again. Something like:

ktutil
addent -password -p serviceaccount@MYDOMAIN.COM -k 1 -e RC4-HMAC
- it will ask you for password of serviceaccount -
wkt serviceaccount.keytab
q

Is the keytab file generated on Windows platform independent? Or does one need to generate it again using linux ktutil?

Nicholas DiPiazza
  • 10,029
  • 11
  • 83
  • 152
  • should have been on superuser, accidentally created here. if a moderator gets a chance, can they move this to the appropriate stack exchange site superuser? – Nicholas DiPiazza May 23 '18 at 13:58

1 Answers1

2

There are a couple of flavors of Kerberos client tools.

Most common is MIT Kerberos, another one is Heimdal.

I haven't seen Heimdal being used anywhere on our Linux servers, but I know other folks are using it.

For example, when you install krb5-workstation yum package, that will bring MIT Kerberos and not Heimdal.

As long as you use the same flavor of Kerberos tools, keytab generated on Windows will work the same on Linux, and vice versa.

Tagar
  • 13,911
  • 6
  • 95
  • 110