Kerberos - KeyTab
Table of Contents
1 - About
A keytab file contains the shared secret key of the service.
A key table file contains one or more keys.
A service uses a keytab file in much the same way as a user uses his/her password.
2 - Articles Related
3 - Default Location
4 - Operating System
4.1 - Windows
- Use the setspn command to map the Kerberos service principal name, HTTP/<host name>, to a Microsoft user account. An example of setspn usage is as follows:
C:\Program Files\Support Tools> setspn -A HTTP/myappserver.austin.ibm.com myappserver
- Create a key tab
ktab.exe –k keytab-file-name –a account-name@REALM.NAME
(NB realm name must be specified in capitals).
4.2 - Linux
To generate a .keytab file for a host computer that is not running the Windows operating system,
- Connect to the AD domain controller
- map the principal to the account and set the host principal password:
ktpass /princ host/[email protected] /mapuser Sample1 /pass MyPas$w0rd /out Sample1.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set
The Ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.
- Merge the .keytab file with the /Etc/Krb5.keytab file on a host computer that is not running the Windows operating system.