https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209428#M79222 <A rel="user" href="https://community.cloudera.com/users/81275/infaelance.html" nodeid="81275">@infa elance</A><P>The issue is as described by <A rel="user" href="https://community.cloudera.com/users/39314/mrodriguez.html" nodeid="39314">@mrodriguez</A>; however, the real solution is to use the -norandkey option to the ktadd function. This way the key for the principal you want add to the keytab file will not be updated. </P><PRE>kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"</PRE><P>I assume this is a better option since you may want to have the keytab entry for some user's principal in that file as well. </P><P>Note: the -norandkey option is only available when using kadmin.local. It is not an option for the general kadmin utility. </P><P>Another option is to use the ktuil utility to read in multiple keytab files and write out a new one. See <A href="https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html" target="_blank">https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html</A>.</P> Thu, 07 Jun 2018 04:21:18 GMT rlevas 2018-06-07T04:21:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209425#M79219 <P>We have a requirement to add two principals to a keytab file and one of them is the HTTP principal.</P><P>When i regenerate the keytabs through ambari and run the following command i get a valid ticket </P><P>kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM</P><P>Now i need to add the HTTP principal to a user keytab so i run the following commands </P><P>kadmin.local -q "ktadd -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"</P><P>After i add the principal run the kinit using spnego.service.keytab (below command) i get an error saying "kinit: Password incorrect while getting initial credentials". Could anyone help me why the spnego keytab gets corrupted if i add a principal to a different keytab?</P><P>"kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM"</P><P>Thanks in advance!!</P> Fri, 16 Sep 2022 13:18:25 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209425#M79219 Abhi 2022-09-16T13:18:25Z https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209426#M79220 <P>This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:</P><P>kadmin.local: get_principal <A href="mailto:HTTP/hdp26.xyz.com@xyz.COM">&lt;</A>principal_name&gt; the kvno is different than the one in spnego.service.keytab (by doing klist -kte &lt;keytab&gt;)</P><P>The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.</P><P>Hope this helps.</P> Wed, 06 Jun 2018 03:34:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209426#M79220 ManuelCalvo 2018-06-06T03:34:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209427#M79221 <P>Thanks for the solution.Its working good so far. </P> Thu, 07 Jun 2018 03:22:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209427#M79221 Abhi 2018-06-07T03:22:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209428#M79222 <A rel="user" href="https://community.cloudera.com/users/81275/infaelance.html" nodeid="81275">@infa elance</A><P>The issue is as described by <A rel="user" href="https://community.cloudera.com/users/39314/mrodriguez.html" nodeid="39314">@mrodriguez</A>; however, the real solution is to use the -norandkey option to the ktadd function. This way the key for the principal you want add to the keytab file will not be updated. </P><PRE>kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"</PRE><P>I assume this is a better option since you may want to have the keytab entry for some user's principal in that file as well. </P><P>Note: the -norandkey option is only available when using kadmin.local. It is not an option for the general kadmin utility. </P><P>Another option is to use the ktuil utility to read in multiple keytab files and write out a new one. See <A href="https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html" target="_blank">https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html</A>.</P> Thu, 07 Jun 2018 04:21:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209428#M79222 rlevas 2018-06-07T04:21:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209429#M79223 <P>Thanks Robert!! I will try the -norandkey next time.</P> Thu, 07 Jun 2018 22:06:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/spnego-keytab-gets-corrupted/m-p/209429#M79223 Abhi 2018-06-07T22:06:04Z