Support Questions
Find answers, ask questions, and share your expertise

AD how to add multiple principals in the same keytab

Contributor

Anyone knows how to do with AD adkeytab command?

https://community.hortonworks.com/articles/35019/oozie-ha-configuration-with-kerberos.html

step 8 requires to add more than more principals in the same keytab.

  1. [root@kk2 ~]# klist -ket /etc/security/keytabs/spnego.service.keytab
  2. Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
  3. KVNO TimestampPrincipal
  4. -----------------------------------------------------------------------------
  5. 305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
  6. 305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
  7. 305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (des3-cbc-sha1)
  8. 305/03/1616:44:05 HTTP/kk2.hwxblr.com@HWX.COM (arcfour-hmac)
  9. 505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes256-cts-hmac-sha1-96)
  10. 505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (aes128-cts-hmac-sha1-96)
  11. 505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (des3-cbc-sha1)
  12. 505/03/1616:44:11 HTTP/test1-ambari-server.hwxblr.com@HWX.COM (arcfour-hmac)
8 REPLIES 8

Super Guru

An example of how to add service princple to keytab

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver@example.com@EXAMPLE.COM
kadmin: Entry for principal host/denver@example.com@EXAMPLE.COM with kvno 2,
  encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

Contributor

Thanks Sunile. We got that already. This is for adding two principals in the same key tab using AD, not MIT kdc.

Super Guru

@ScipioTheYounger is this microsoft Ad?

Contributor

Yes. However, we use adkeytab from Centrify. Here is a blog on this (he used adkeytab to add spn and kutil to merge with no detailed steps).

https://www.centrify.com/activate/cmz3c60glnnmc1tnlwnv0srcpkfct5p9/

Super Guru

@ScipioTheYounger

here is example with ktutil

  1. ktutil
  2. read_kt keytab1
  3. read_kt keytab2
  4. write_kt keytab.merge
  5. quit

thanks @Laurent Edel

Contributor

To add a new keytab you can use ktpass in AD-Kerberos with the following syntax:

ktpass -out <keytabname>.keytab -princ <principal name> -pass <password> -mapuser <user_to_map_in_AD> -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL

For reference:

https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx

Contributor

Super Guru

@ScipioTheYounger

Here is how you can add multiple principals to same keytab. Go to kadmin or kadmin.local and then

kadmin: xst -norandkey -k <desired keytab file name> principal1/<host fully qualified domain name> principal2/fully.qualified.domain.name

You can also use ktadd command to add a pricipal to an existing keytab. Please see following link.

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Adding-Principals-to-Keytabs.html

ktadd -k <your keytab file that contains one keytab already> principal
; ;