Support Questions

ScipioTheElder · ‎07-26-2016

Anyone knows how to do with AD adkeytab command?

https://community.hortonworks.com/articles/35019/oozie-ha-configuration-with-kerberos.html

step 8 requires to add more than more principals in the same keytab.

[root@kk2 ~]# klist -ket /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO TimestampPrincipal
-----------------------------------------------------------------------------
305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (des3-cbc-sha1)
305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (arcfour-hmac)
505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (des3-cbc-sha1)
505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (arcfour-hmac)

sunile_manjee · ‎07-26-2016

An example of how to add service princple to keytab

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver@example.com@EXAMPLE.COM
kadmin: Entry for principal host/denver@example.com@EXAMPLE.COM with kvno 2,
  encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

ScipioTheElder · ‎07-26-2016

Thanks Sunile. We got that already. This is for adding two principals in the same key tab using AD, not MIT kdc.

sunile_manjee · ‎07-26-2016

@ScipioTheYounger is this microsoft Ad?

ScipioTheElder · ‎07-27-2016

Yes. However, we use adkeytab from Centrify. Here is a blog on this (he used adkeytab to add spn and kutil to merge with no detailed steps).

https://www.centrify.com/activate/cmz3c60glnnmc1tnlwnv0srcpkfct5p9/

sunile_manjee · ‎07-28-2016

@ScipioTheYounger

here is example with ktutil

ktutil
read_kt keytab1
read_kt keytab2
write_kt keytab.merge
quit

thanks @Laurent Edel

kgopal · ‎07-27-2016

To add a new keytab you can use ktpass in AD-Kerberos with the following syntax:

ktpass -out <keytabname>.keytab -princ <principal name> -pass <password> -mapuser <user_to_map_in_AD> -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL

For reference:

https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx

ScipioTheElder · ‎07-27-2016

http://community.centrify.com/t5/Centrify-Insight/Difference-between-adkeytab-and-ktutil/td-p/14281

Did you use ktutil to merge?

mqureshi · ‎07-27-2016

@ScipioTheYounger

Here is how you can add multiple principals to same keytab. Go to kadmin or kadmin.local and then

kadmin: xst -norandkey -k <desired keytab file name> principal1/<host fully qualified domain name> principal2/fully.qualified.domain.name

You can also use ktadd command to add a pricipal to an existing keytab. Please see following link.

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Adding-Principals-to-Keytabs.html

ktadd -k <your keytab file that contains one keytab already> principal

Cloudera Community

Support Questions

AD how to add multiple principals in the same keytab