oam 11g WNA
OAM config WNA with Windows 2003 AD
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/oam.acer.com@AD.ACER.COM
Using keytab: /tmp/oam.keytab
Authenticated to Kerberos v5
- need to install support tool at windows server for ktpass
- create a user for mapping
- run ktpass to create SPN
- SPN domain name must use upper case ******
Windows 2003 Server Syntax -
C:\Program Files\Support Tools>ktpass.exe -princ HTTP/oam.acer.com@AD.ACER.COM ******
mapuser AD\aaa -pass aaa -out c:\src\oam.keytab
Targeting domain controller: acer.ad.acer.com
Using legacy password setting method
Successfully mapped HTTP/oam.acer.com to aaa.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to c:\src\oam.keytab:
Keytab version: 0x502
keysize 64 HTTP/oam.acer.com@AD.ACER.COM ptype 0 (KRB5_NT_UNKNOWN) vno 5 etype 0
x17 (RC4-HMAC) keylength 16 (0xe24106942bf38bcf57a6a4b29016eff6)
Windows 2008 R2 Server Syntax -
ktpass -princ HTTP/oam.server.com@FOREST1.SPRITE.COM /
-mapuser oamkrb5 /
-pass Oracle123 /
-ptype KRB5_NT_PRINCIPAL /
-crypto ALL /
-out forest1.krb5.keytab - copy keytab file to oam server
- vi /etc/krb5.conf at oam server
more /etc/krb5.conf[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.ACER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AD.ACER.COM = {
kdc = acer.ad.acer.com
admin_server = acer.ad.acer.com
}
[domain_realm]
.ad.acer.com = AD.ACER.COM
ad.acer.com = AD.ACER.COM
- run kinit to Validating the Master Keytab
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/oam.acer.com@AD.ACER.COM
Using keytab: /tmp/oam.keytab
Authenticated to Kerberos v5
留言