How to automate kinit process to obtain TGT for Kerberos?

authentication kerberos linux active-directory
43,445

Solution 1

Stupid me, you can simply use following command:

echo "password" | kinit aduser@REALM

Solution 2

While you can just hard-code the password into your automation, the more correct Kerberos way to do this is to create a keytab for the principal and then use that to authenticate. kinit supports authenticating from a keytab using the -k -t <keytab-path> options.

The primary advantage of a keytab is that it isolates the credentials in a separate file and can be used directly by various Kerberos software (so you don't have to add code to read a password from a separate file). It can also be created with standard commands (with an AD KDC, use ktpass). There are some more advantages if you had a Linux KDC, such as easily randomizing keys stored in the keytab rather than using a weaker password.

Solution 3

According to the man-page you might use:

kinit --password-file="~/my.secret" [email protected]

So you just might provide your password via a file.

Share:
43,445

Related videos on Youtube

user3622502
Author by

user3622502

Updated on September 18, 2022

Comments

  • user3622502
    user3622502 over 1 year

    I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos.

    Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via kinit. If this were to be done manually, I would do this:

    kinit [email protected]

    This prompts for the AD user password, hence there is a problem with automate this.

    How can I automate this? I've found some posts mentioning using kadmin to create a database with the AD users password in it, but I've had no luck.

  • Dejan
    Dejan about 9 years
    echo -n "$PASS" | kinit "$USER" do not output trailing newline
  • Havnar
    Havnar over 8 years
    Or print a poster with your password and hang it out! Storing your password in plain text is a no-no
  • Dennis Jaheruddin
    Dennis Jaheruddin almost 8 years
    Keytab definitely seems to be the way to go. If you generate this in kadmin, make sure to use the -norandkey flag in ktadd if you don't want to invalidate the existing password.
  • Indranil Gayen
    Indranil Gayen over 5 years
    does it work in windows ?
  • Sam Morris
    Sam Morris over 2 years
    FYI, --password-file= is available with the kinit command that comes as a part of Heimdal Kerberos. It's not available with MIT Kerberos' kinit command.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Best practice for authenticating DMZ against AD in LAN
Kafka Console consumer with kerberos authentication
Setting Up a Keytab for a User Fails: "kinit: Password incorrect while getting initial credentials"
Couldn't join realm: Insufficient permissions to join the domain
Unable to Login to kadmin from Kerberos Client
Problem with mixed cases in username
Linux SSSD with two AD Domains
How to determine the Kerberos realm from an LDAP directory?
Enabling AES-encrypted single sign-on to Apache in a Win2008 domain
How to get windows xp to authenticate against kerberos or heimdal