test

Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

ktpass

You can use the ktpass command to configure services running on UNIX systems to work with with service instance accounts in Active Directory. You can also use the ktpass command to generate Kerberos keytab files for services. Before you map an Active Directory user account with OpenSSO Enterprise, first check the Java version that is configured for OpenSSO. If the Java version is 1.5_08 or higher, you can generate the Kerberos keytab file using all default values for account encryption and cryptosystem. Java versions 1.5_08 or higher support the RC4-HMAC crypto system that is default for the Windows Kerberos Domain Controller. If the Java version is lower than 1.5_08, you have must use the DesOnly option. Options:

Table 18–4 ktpass Command Options

Option 

Description 

[- or /] out

Keytab to produce  

[- or /] princ

Principal name (user@REALM)  

[- or /] pass

Password to use. Use "*" to prompt for password. 

[- or +] rndPass

Generate a random password  

[- or /] minPass

Minimum length for random password. (def:15)  

[- or /] maxPass

Maximum length for random password (def:256) 

[- or /] mapuser :

Map principal to this user account (Default is no mapping) 

[- or /] mapOp :

  • [- or /] mapOp add

  • [- or /] mapOp set

Set the mapping attribute  

  • add value (default)

  • set value

[- or +] DesOnly

Set account for DES-only encryption (default:don't)  

[-or /] in

Set keytab to read/digest 

Key Generation

[- or /] crypto

  • [- or /] crypto DES-CBC-CRC

  • [-or /] crypto DES-CBC-MD5

  • [- or /] crypto RC4-HMAC-NT

Cryptosystem to use  

  • for compatibility

  • for compatibliity

  • default 128-bit encryption

[-or /] ptype 

  • [- or /] ptype :KRB5_NT_PRINCIPAL

  • [- or /] ptype : KRB5_NT_SRV_INST

  • [- or /] ptype : KRB5_NT_SRV_HST

Use one of the following ptypes: 

  • the general ptype-- recommended

  • user service instance

  • host service instance

[-or /] kvno

Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Windows 2000 compatibility 

[- or +] Answer

  • +Answer

  • -Answer

[- or +] Answer

  • Answers YES to prompts

  • Answers NO to prompts

[- or /] Target

Which domain controller to use. Default is to detect the domain contoller. 

Options for Trust Attribtues (Windows Server 2003 SP1 Only)

[- or /] MitRealmName

MIT Realm to enable RC4 trust on.  

[-or /] TrustEncryp

Trust Encryption to use. DES is default. 

[- or /] TrustEncryp

  • [- or /] RC4

  • [- or /] DES

[- /] TrustEncryp 

  • RC4 Realm Trusts (default)

  • Revert to DES