HP CIFS Server Administrator's Guide Version A.03.01.04 (5900-2303), April 2012
• HP-UX Kerberos Client
Kerberos v5 Client D.1.6.2 or later for HP-UX 11i v2◦
◦ Kerberos v5 Client E.1.6.2 or later for HP-UX 11i v3
• Service Pack 1 is recommended for Windows 2003, and required for inter-operation with
Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2 or later
on HP-UX 11i v3.
• HP-UX LDAP-UX Integration product
• Windows 2000, Windows 2003, or Windows 2008 Server domain.
• Windows 2000 or Windows XP Client
Configuring krb5.keytab
Here are the required components to configure HP CIFS Server with HP-UX Internet Services
co-existence:
• Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2 or later
on HP-UX 11i v3.
• /etc/krb5.conf file
• /etc/opt/samba/smb.conf file
• /etc/krb5.keytab file
• net ads keytab create command
The first task is to configure HP CIFS Server for Kerberos authentication and join it to a Windows
domain.
Use the following steps to generate a valid keytab file and to configure an HP CIFS Server to access
the keytab file:
1. Add the default_keytab_name parameter with the FILE attribute in the /etc/krb5.conf
file. The Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2
or later on HP-UX 11i v3 is required for the FILE attribute.
An example of /etc/krb5.conf for HP CIFS Server keytab creation is as follows:
# Kerberos configuration
[libdefaults]
default_realm = MYREALM.HP.COM
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
MYREALM.HP.COM = {
kdc = HPWIN2K4.MYREALM.HP.COM:88
admin_server = HPWIN2K4.MYREALM.HP.COM
}
[domain_realm]
.hp.com = MYREALM.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
2. To configure the HP CIFS Server to read /etc/krb5.keytab, set the Kerberos method
parameter in the /etc/opt/samba/smb.conf file to dedicated keytab = <keytab
file location>.
112 Kerberos support