In the ADS multiple domain environment, your HP-UX client machine will communicate with multiple Windows 2000 or 2003 domain controllers. To set up Kerberos authentication, your HP-UX host needs to have a service key known by every domain controller, which also acts as KDC. The service key is created on Windows 2000 or 2003 Server using ktpass (described in step 5 of "“Configuring Active Directory for HP-UX Integration”"). After you create the service key file on each domain controller, you need to securely transfer it to your HP-UX machine. All service key files must be merged and stored in /etc/krb5.keytab.
For example, if you integrate LDAP-UX with ADS multiple domains so that users from DomainA, DomainB, and DomainC can log into your HP-UX client machine, you will need to create the service key on each domain controller (say domainA.keytab on DomainA, domainB.keytab on DomainB and domainC.keytab on DomainC), then transfer those files into your HP-UX machine. Finally, merge all three service key files to create /etc/krb5.keytab. Use ktutil to merge service key files on your HP-UX machine:
# /usr/sbin/ktutil
ktutil: rkt domainA.keytab
ktutil: rkt domainB.keytab
ktutil: rkt domainC.keytab
ktutil: wkt krb5.keytab
ktutil: quit
Use klist -k to show the different entries in the keytab file /etc/krb5.keytab should be readable only by the supervisor.
Printable version
