Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

AD how to add multiple principals in the same keytab

Expert Contributor

Anyone knows how to do with AD adkeytab command?

step 8 requires to add more than more principals in the same keytab.

  1. [root@kk2 ~]# klist -ket /etc/security/keytabs/spnego.service.keytab
  2. Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
  3. KVNO TimestampPrincipal
  4. -----------------------------------------------------------------------------
  5. 305/03/1616:44:05 HTTP/ (aes256-cts-hmac-sha1-96)
  6. 305/03/1616:44:05 HTTP/ (aes128-cts-hmac-sha1-96)
  7. 305/03/1616:44:05 HTTP/ (des3-cbc-sha1)
  8. 305/03/1616:44:05 HTTP/ (arcfour-hmac)
  9. 505/03/1616:44:11 HTTP/ (aes256-cts-hmac-sha1-96)
  10. 505/03/1616:44:11 HTTP/ (aes128-cts-hmac-sha1-96)
  11. 505/03/1616:44:11 HTTP/ (des3-cbc-sha1)
  12. 505/03/1616:44:11 HTTP/ (arcfour-hmac)

Master Guru

An example of how to add service princple to keytab

denver # /usr/sbin/kadmin
kadmin: ktadd host/
kadmin: Entry for principal host/ with kvno 2,
  encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

Expert Contributor

Thanks Sunile. We got that already. This is for adding two principals in the same key tab using AD, not MIT kdc.

Master Guru

@ScipioTheYounger is this microsoft Ad?

Expert Contributor

Yes. However, we use adkeytab from Centrify. Here is a blog on this (he used adkeytab to add spn and kutil to merge with no detailed steps).

Master Guru


here is example with ktutil

  1. ktutil
  2. read_kt keytab1
  3. read_kt keytab2
  4. write_kt keytab.merge
  5. quit

thanks @Laurent Edel

Rising Star

To add a new keytab you can use ktpass in AD-Kerberos with the following syntax:

ktpass -out <keytabname>.keytab -princ <principal name> -pass <password> -mapuser <user_to_map_in_AD> -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL

For reference:

Expert Contributor

Super Guru


Here is how you can add multiple principals to same keytab. Go to kadmin or kadmin.local and then

kadmin: xst -norandkey -k <desired keytab file name> principal1/<host fully qualified domain name> principal2/

You can also use ktadd command to add a pricipal to an existing keytab. Please see following link.

ktadd -k <your keytab file that contains one keytab already> principal