keytab file containing pairs of Kerberos principals and encrypted keys can be created on any computer with Kerberos.
Before you begin
To create a
keytab file you need the
kutil utility and you need to know your Kerberos password. The
ktutil utility is present on any workstation using the Kerberos system for network security. It is, for example, part of the MIT Kerberos tools in the Kerberos workstation package. You do not need to log into the actual Kerberos server to generate your
Creating the keytab file
The following procedure demonstrates the creation of the
keytab file using MIT Kerberos. A corresponding example using Heimdal Kerberos is also given below. The examples assume that you are logged into a Linux-based Kerberos workstation.
Ensure that the
ktutil utility is on your command execution PATH.
For Unix/Linux systems this could be for example
/usr/kerberos/sbin . The command
type ktutil should tell you where the executable
ktutil file resides. If the
type command fails, you will need to find the location of the executable
ktutil file and make sure that it is on your execution PATH.
On your command prompt, type
This should result in the
ktutil: prompt being displayed as shown on the example output.
> ktutil ktutil:
addent command to instruct the
ktutil utility to add a principal key to the
The following syntax uses the
-password option to gain appropriate permissions, though you can also use the
-key option. For full details of
ktutil command syntax, refer to Kerberos documentation. Note that you can specify all of the required options to the
addent command or only some. Options that are required but not supplied will be prompted for. In the example below, the user is prompted for the password
addent -password -p principal -k kvno -e enctype
principal is the principal ID,
kvno is the key version number, and
enctype is the encryption type. For example:
ktutil: addent -password -p myName@ABC.XX.YYY -k 1 -e rc4-hmac Password for myName@ABC.XX.YYY: qVnlfc587
Repeat adding new keys as required.
wkt) command to write the current keylist to a Kerberos
ktutil: wkt myfile.keytab
quit command to exit
View the created
The keytab file will have been created in the current working directory. You can list it using the
Example for MIT Kerberos
The following example summarizes the example input and output from the above procedure, while adding an additional key with different encryption type:
> ktutil ktutil: ktutil: addent -password -p myName@ABC.XX.YYY -k 1 -e rc4-hmac Password for myName@ABC.XX.YYY: qVnlfc587 ktutil: addent -password -p joe@ABC.XX.YYY -k 1 -e aes256-cts Password for myName@ABC.XX.YYY: Pagod005 ktutil: wkt myfile.keytab ktutil: quit
Example for Heimdal Kerberos
You should use Heimdal Kerberos version 1.5 or older.
> ktutil -k myfile.keytab add -p username@ABC.XX.YYY -e arcfour-hmac-md5 -V 1 > ktutil -k myfile.keytab add -p username@ABC.XX.YYY -e aes256-cts-hmac-sha1-96 -V 1
What to do next
Store the created
keytab file securely in preparation for copying it to the NAM Probe. Remember that the
keytab file is not encrypted. If you are transferring it using network, make sure that the network is secure. Once the file has been transferred to the NAM Probe, it needs to be encrypted for security reasons. For more information, see Encrypting Kerberos SNC keys for secure storage on NAM Probe.