March 22nd, 2010

msktutil -- Linux/Active Directory keytab management

At work, I've been working on a little side project for a while: getting my Linux (Debian Lenny) box to play nicely with our Windows Active Domain controller. I did get it working, with login, ssh, firefox doing kerberos against AD, and with user info, groups, and automount data coming from AD's LDAP. I plan to post a writeup of what I did soon. It's all done using the standard tools and libraries, but there's many irritating nits.

But in the meantime, I'd like to announce version 0.4 of a tool called msktutil. It allows you to conveniently create and manage computer objects (that is: kerberos accounts for your computer) in Active Directory, while also writing out and managing the keytab. This allows much easier provisioning of machines, including a keytab suitable for kerberized ssh.

I use it like this (holding valid kerberos tickets that can add hosts to AD):
for hostname in $hostnames; do
  msktutil --precreate -h $hostname -s host

to create a bunch of accounts. Then, on each machine, there's a daily cron job which runs
msktutil --auto-update

which checks if the keytab needs to be updated, either because it's missing or because the password needs to be rotated (when it's 30 days old). I also run that at install time. And that doesn't need any credentials besides the keytab itself.

See the man page for more usage info.

Also, a shout-out: this tool was not written by me; I am simply continuing the work of those who came before me. It was originally written by Dan Perry, and over the years since, updated by Brian Elliott Finley and Doug Engert. Many thanks to each of them.

BTW: if anyone knows anything about debian packaging, it would be nice if you could fix it up for me. I'm no expert, but I'm pretty sure the packaging scripts in there now show their age, and are sorely due for an update. Have a Git repository if you like. Patches welcome. :)