Generating Stanford keytabs from a Mac

| 1 Comment | No TrackBacks

The instructions provided by ITS for integrating stanford.edu Kerberos keytabs are here. However well written, it's clear they're geared for Unix or Linux administrators.

It's actually easier for Mac admins, in my opinion, since you have the campus Unix/Linux cluster machines to use, your Mac server already has the Kerberos bits built in, and you don't have to compile or install AFS components, either.

You will, however, need to request the keytabs to be generated. This is done by the University's Kerberos authority. Follow the instructions here, where you need to send an email along with some requisite information. She or he will send you an email when the proper access controls have been added and you can proceed generating your ketabs.

The actual keytab generation process can be done by ssh'ing to cardinal, vine, pod or any of the other hosts. In my experience, the machine you use seems to be particular, and I always use one of the hedge machines. Others may work, but my luck always seems to be solid with these computers. Perhaps its the version of Ubuntu that's running on them, I'm not sure.

Here are the simplified instructions:

1) ssh to hedge.
2) at the prompt, run the kinit command.
3) cd to a directory in your AFS space that's private and secure.
4) run this command:
/usr/pubsw/sbin/leland_srvtab -u yoursunetid -f mysrvtab -k mykeytab service.myserver

The leland_srvtab is the actual command. The -u yoursunetid part seems like it shouldn't be necessary, but seems to be (even if you've done the kinit step above). The -f mysrvtab part is the Kerberos 4 srvtab generation, where "mysrvtab" is an arbitrary name you've chosen for this file. The -k mykeytab is the same for Kerberos 5. The service.myserver is whatever the service is (say, rcmd, afpserver, cifs) plus dot-hostname (not the fully qualified domain name).

An example command would be:
leland_srvtab -u nbfa -f cifs.srvtab -k cifs.keytab cifs.betenoire.

The output in the terminal will be:
srvtab successfully created.
keytab successfully created.

You should have a process in place for handling these keytabs so that they're kept exceptionally secure. My process is to use the OpenAFS desktop tool running on my Mac laptop, so that my AFS space is accessible via the Finder. I make an encrypted disk image using Disk Utility (and a high-quality password). I transfer the tabs to this virtual disk; then, when I need to import them on my server, I just scp the .dmg to my server's desktop. This way, I have a secure repository for my server's tabs, while the .dmg in multiple locations. I won't need to regenerate the keytabs if I need to rebuild the server in the future, only if the hostname changes.

No TrackBacks

TrackBack URL: http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/7

1 Comment

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on February 13, 2008 10:32 AM.

About the Mac OS X SIG blog was the previous entry in this blog.

macosxsig blog updated to Movable Type 4.1 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.