Windows has a limited set of tools to create a keytab file. There are a couple of tools for this purpose. One tool is the Windows Server built-in utility ktpass. It can be only run on a Windows Server.
We will learn How To Create A Kerberos Keytab File in this post.
- To create a kerberos keytab file on Ubuntu and with the kerberos packages installed (e.g. Sudo apt-get install krb5-user ) root@jmcc02:# ktutil ktutil: addent -password -p myusername@DOMAIN.TLD.COM -k 1 -e RC4-HMAC Password for myusername@DOMAIN.TLD.COM: ktutil: wkt username.keytab ktutil: quit root@jmcc02:#.
- Create a service account (basically a user account). Run Ktpass.exe to generate the keytab file. Test the keytab file (optional step yet an invaluable time saver sometimes). Ktpass is the tool that does all the magic. If it is run correctly then it generates a keytab file after configuring all the SPN (Service Principal Name) mappings.
But before that that quickly understand what is a keytab file
What is a Keytab file
- Keytab file is basically as pair of Kerberos Principal & Encrypted Key
- The encrypted keys are derived from the Kerberos password
- We use keytab file as an authentication measure while trying to connect to remote systems which are layered by Kerberos security.
if( aicp_can_see_ads() ) {
}
Prerequisites
- Kerberos is already installed and configured
- Kerberos server is up and running
- You have set-up a Realm
If you are not aware of how to configure Kerberos to do the above steps, please refer my earlier post which explains the Kerberos installation & set-up in detail – How To Install & Configure Kerberos Server & Client in Linux ?
Assuming you are able to set up the Kerberos , lets dive in the steps to create a Kerberos Keytab file.
Step 1 – Create a NEW Principal
- Connect to the Kerberos Server .
- Once connected , use below in command line
- You will land on the kadmin.local prompt. List existing principles
- Create a New Principal in a the Realm. (We are using our Realm – TESTREALM.LOCAL). It will prompt to use password – so use your own password and note it down. Once done , you will get a prompt in the screen that Principal is created.
- List and verify the Principal is created
if( aicp_can_see_ads() ) {
}
Step 2 – Create the Keytab File for the New Principal
We have created a Principal in the above step.
As a Continuation , in this step , we will create a Keytab file for the same Principal.
We will use the same kadmin.local prompt for the same.
- Create Keytab for the Principal [email protected] (created above)
If you want to create the keytab file at any specific path (say /tmp/dir/) , use the path name. See example below
- Quit the kadmin.local prompt
- Verify the keytab file is created or not
Step 3 – Check the Encryption (Optional)
Generate Keytab File
- Check the encryptions used in the Keytab file
Create Keytab For Kerberos Authentication In Linux - Tech Jogging
Step 4 – Use the Keytab File
- Flush all the existing cache
- Check if all caches cleared . Results will be empty.
- Do kinit to reinitialize for the Principal [email protected] [ In actual Big Data environment , the Principal authentication needs to be renewed at regular intervals ( 81224 Hrs or any interval that is set up) for keeping the Principal active. That is why kinit is performed at regular intervals so the Principla is active and can be used to connect to Remote servers (through Kerberos). ]
- If you use below command , after above step , it will show the cache for [email protected] It also shows the timeline till when the Principal can be renewed.
Generate Keytab File Kerberos
if( aicp_can_see_ads() ) {
}
Hope you find this post helpful.
Generate Keytab File Windows 10
Additional Post you can read –