In the ADS multiple domain environment, your HP-UX client
machine will communicate with multiple Windows 2000 domain controllers.
To set up Kerberos authentication, your HP-UX host needs to have
a service key known by every domain controller, which also acts
as KDC. The service key is created on Windows 2000 Server using ktpass (described in step 5 of ““Configuring Active
Directory for HP-UX Integration””). After you create the service key file
on each domain controller, you need to securely transfer it to your
HP-UX machine. All service key files must be merged and stored in
/etc/krb5.keytab.
For example, if you integrate LDAP-UX with ADS multiple domains
so that users from DomainA, DomainB, and DomainC can log into your HP-UX
client machine, you will need to create the service key on each domain
controller (say domainA.keytab on DomainA, domainB.keytab on DomainB and domainC.keytab on DomainC), then transfer those files into your HP-UX
machine. Finally, merge all three service key files to create /etc/krb5.keytab. Use ktutil to merge service key files on your HP-UX machine:
# /usr/sbin/ktutil
ktutil: rkt domainA.keytab
ktutil: rkt domainB.keytab
ktutil: rkt domainC.keytab
ktutil: wkt krb5.keytab
ktutil: quit
Use klist -k to show the different entries in the keytab file /etc/krb5.keytab should be readable only by the supervisor.
Printable version
