LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide
default keytab file configured in /etc/krb5.conf, then the keytab file /etc/krb5.keytab
will be used,
For each service principal, it must have a service key known by every domain controler, which
also acts as a KDC.
Use the ktpass tool to create the keytab file and set up an identity mapping the host account.
The following is an example showing you how to run ktpass to create the keytab file for the
HP-UX host myhost with the KDC realm cup.hp.com:
C:> ktpass -princ host/myhost@CUP.HP.COM -mapuser myhost -pass mypasswd
-out unix.keytab
SASL/GSSAPI Profile Download Support
LDAP-UXClient Services B.04.00 does not support downloading of the LDAP-UX profile
automatically, when used with SASL/GSSAPI authentication, and that authentication uses a host
or service principal, where that principal's key is stored in a Kerberos keytab file.This limitation
impacts the ability of the LDAP-UX product to support the "profile time to live" feature, which
automatically will re-download a profile after it's profileTTL time period has expired.
You can download profiles manually using the get_profile_entry command, as long as you
provide a principal and password on the command line.The following command shows an
example of how to download the profile manually. If your profile changes frequently, you may
wish to place this in a script that is called periodically by cron.
/opt/ldapux/config/get_profile_entry -s NSS -D \
"<administrator@my.domain.org>" -w "<adminpassword>"
Changing Authentication methods
If you wish to switch from your current authentication method, such as SIMPLE to SASL/GSSAPI,
TLS:SIMPLE or TLS:SASL/GSSAPI, you must restart the ldapclientd daemon after making
the configuration changes. This step is required to assure that the proper GSSAPI, Kereros and/or
SSL initialization is completed.
SASL GSSAPI Support 105