Anyone knows how to do with AD adkeytab command?
step 8 requires to add more than more principals in the same keytab.
An example of how to add service princple to keytab
denver # /usr/sbin/kadmin kadmin: ktadd firstname.lastname@example.org@EXAMPLE.COM kadmin: Entry for principal email@example.com@EXAMPLE.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit
Thanks Sunile. We got that already. This is for adding two principals in the same key tab using AD, not MIT kdc.
Yes. However, we use adkeytab from Centrify. Here is a blog on this (he used adkeytab to add spn and kutil to merge with no detailed steps).
To add a new keytab you can use ktpass in AD-Kerberos with the following syntax:
ktpass -out <keytabname>.keytab -princ <principal name> -pass <password> -mapuser <user_to_map_in_AD> -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL
Here is how you can add multiple principals to same keytab. Go to kadmin or kadmin.local and then
kadmin: xst -norandkey -k <desired keytab file name> principal1/<host fully qualified domain name> principal2/fully.qualified.domain.name
You can also use ktadd command to add a pricipal to an existing keytab. Please see following link.
ktadd -k <your keytab file that contains one keytab already> principal