Services running on UNIX systems can be configured with service instance accounts in Active Directory. This allows full interoperability. MIT Kerberos clients and servers on UNIX systems can authenticate by using the Windows Server 2003 Kerberos server, and clients connected to servers running Windows Server 2003 can authenticate to Kerberos services that support GSS API.
Unlike Kerberos principal names, Windows Server 2003 account names do not have multiple parts. For this reason, it is not possible to directly create an account of the name Sample/Unix1.microsoft.com. Such a principal instance is created by using the service principal name mappings.
To generate a UNIX host keytab file, map the principal to the account, and set the host principal password:
Use the Active Directory User and Computers snap-in to create a user account for the UNIX service. For example, create an account with the name SampleUnix1.
Set up an identity mapping for the user account using KtPass by typing a command line that uses this syntax:
ktpass /princ ServiceInstance@REALM /mapuser AccountName /pass Password /out Unixmachine.Keytab
You cannot map multiple service instances to the same user account.
- You cannot map multiple service instances to the same user account.
Merge the keytab file with the /Etc/Krb5.keytab file on the UNIX host.