On Thu, Apr 24, 2014 at 10:10 PM, Josh Clum <joshclum@gmail.com> wrote:

So just looking at the ticket, I can get the following seemingly relevant information. I'm requesting a tgt for a principle client@EXAMPLE.COM. krbtgt/EXAMPLE.COM@EXAMPLE.COM is my KDC in Ldap.

TgTicket serverTgt = conn.getTgt(sshPrincipal, PASSWORD);
LOG.debug("Client name: {}", serverTgt.getClientName());
LOG.debug("Key version: {}", serverTgt.getEncKdcRepPart().getKey().getKeyVersion());
LOG.debug("Key type: {}", serverTgt.getEncKdcRepPart().getKey().getKeyType());
LOG.debug("Server name: {}", serverTgt.getServerName());
LOG.debug("Ticket Vno: {}", serverTgt.getTicket().getTktVno());
LOG.debug("Protocol Vno: {}", serverTgt.getTicket().getProtocolVersionNumber());
LOG.debug("Server Name: {}", serverTgt.getTicket().getSName());
LOG.debug("Server Name Value Type: {}", serverTgt.getTicket().getSName().getNameType().getValue());
LOG.debug("Server Name String: {}", serverTgt.getTicket().getSName().getNameString());

Client name: client
Key version: 0
Key type: des-cbc-md5 (3)
Server name: krbtgt/EXAMPLE.COM
Ticket Vno: 5
Protocol Vno: 5
Server Name: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
Server Name Value Type: 2
Server Name String: krbtgt/EXAMPLE.COM

For my keytab entry i need:

new KeytabEntry(String princNam, long PrincType, KerberosTime timeStamp, byte keyverion, EncryptionKey key);

I have fixed an issue with null starttime in the ticket and also modified the above constructor a bit( mostly
changed the type of 'pricipalType' to int)

I suggest you use the trunk
I'm guessing that creating a keytab entry for client@EXAMPLE.COM would be done by passing in:

new KeytabEntry("client@EXAMPLE.COM", X, Y, (byte) 0, Z);


X = PrincType? Is there some constant defined somewhere?
Y = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
Z = encryption key from TgTicket.getEncKdcRepPart()

Does that sound correct? Could i then use that keytab to authenticate client@EXAMPLE.COM?
here is the test code that I used to create a Keytab http://pastebin.com/3AvpSARx
for some reason yet unknown to me when I try klist on this keytab it fails with the error
(both on Linux and OS X as well)

klist: krb5_cc_get_principal: Offset too large

I have verified the format of the generated keytab and it is correct


On Thu, Apr 24, 2014 at 11:45 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:

On Thu, Apr 24, 2014 at 9:06 PM, Josh Clum <joshclum@gmail.com> wrote:
What would be the key things I would need to get from the Tgt?

all those that are needed to build a keytab ;)
(let me know if you don't find a particular piece of data in TgTicket)

On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:

On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <joshclum@gmail.com> wrote:
I was wondering if there was a way to generate my own keytab in java without going to the kdc? I found code similar to this in an ApachDS test:

        Keytab keytab = Keytab.getInstance(); 
        KerberosTime timeStamp = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));

        Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
            .getKerberosKeys(principalName, userPassword);

        KeytabEntry keytabEntry = new KeytabEntry(
            (byte) 0,
        List<KeytabEntry> entry = Arrays.asList(keytabEntry);
        return keytabFile;

I'm able to a klist on a keytab that i create:

Vno  Type         Principal                  Date        Aliases

  0  des-cbc-md5  ssh/localhost@EXAMPLE.COM  2007-02-17  

Also, if this is not possible, is there a way to programmatically get a keytab using ApacheDS or any other java library?

one way to do this is to use KdcConnection to obtain a TgTicket and create KeyTab from the details of TgTicket

Kiran Ayyagari

Kiran Ayyagari

Kiran Ayyagari