As a windows administrator I run into multiple scenarios where SSO is required –thus we have to setup UNIX to AD authentication via KERBROS.  This is from the Windows point of view and other steps are required by the UNIX admin to be performed that are not covered here.

First create a USER account in ADUC  for the UNIX server that will be doing SSO.  (yes from AD’s point of view the unix server is a user object and not a computer object)

Now you will use the kpass.exe utility to create the keytab file for the your user.  (This will create the KERBROS key )

The syntax can be confusing so let’s break down the fundamentals:

Domain: mydomain.com

Realm: MYDOMAIN.COM

UNIX Hostname:  uServer1

AD User Object: uServer1 / Password:Password

With that in mind here is the syntax:

 ktpass -princ host/uServer1.mydomain.com@MYDOMAIN.COM  -mapuser uServer1 -crypto DES-CBC-MD5 +DesOnly -pass Password -ptype KRB5_NT_PRINCIPAL -out uServer1.keytab

Targeting domain controller: DC1.mydomain.com

Using legacy password setting method

Successfully mapped host/uServer1.mydomain.com to uServer1.

Key created.

Output keytab to uServer1.keytab: Keytab version: 0x502

keysize 88 host/uServer1.mydomain.com@MYDOMAIN.COM ptype 1

(KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x52df3b2f100ef4dc)

Account uServer1 has been set for DES-only encryption.

Now give the keytab file to the UNIX admin.

Important SOLARIS information— once you have generated the keytab file–if you ever have to regenerate in you will notce that the VNO 3 is appended almost like a versioning.  SOLARIS systems do not understand anything other than VNO3.  So you will have to completely delete the UNIX User account from AD then re-create a new object with the same name and re-run ktpass command to generate a new keytab with VNO3 properties.