Support Questions

Find answers, ask questions, and share your expertise

Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.


In our environment we are not able to use keytabs with same principal name on different servers. For example nifi-1-service-keytab with a principal name of nifi can only be used on server 1 even if the keytab is changed nifi-2-service-keytab. nifi-2-server-keytab cannot be used on different server with same principal name nifi in AD.


Expert Contributor

Please provide information on how you are generating and defining your keytabs.

try klist -k nifi-1-service-keytab

If you principals have HOST (machine name or IP) as part of the definition like xxxx/HOST_NAME@domain you will not be able to use the keytab on any other machine.

Renaming the keytab will not work as content of the file still point to a specific host.

It is best practice to have separate keytab for separate machines. Reusing the same keytab is not the most secure option.

Alternatively, if you define a principal in AD as headless that is without HOST attribute. And then create a keytab, that keytab can be used on any host typically this is your hdfs principal. But, not too secure.


Hi Umair,

Our AD team created a headless keytab without HOST attribute and the keytab with same service account name with HOST attribute broke and the headless keytab doesn't work. What is the appropriate syntax for creating headless keytabs in AD? We created it as follows:

C:\Users\adminname>ktpass /princ /pass securepassword /mapuser serviceaccountname /pType KRB5_NT_PRINCIPA L /out serviceaccountname_headless.keytab Targeting domain controller: Failed to set property 'servicePrincipalName' to 'serviceaccountname' on Dn 'CN=serviceaccountname,OU=Hadoop,OU=Secure,OU=Secure,OU=Secure,DC=domain,DC=com': 0x13. WARNING: Unable to set SPN mapping data. If serviceaccountname already has an SPN mapping installed for serviceaccountname, this is no cause for concern. Password successfully set! Key created. Output keytab to serviceaccountname_headless.keytab: Keytab version: 0x502 keysize 57 ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (A000000000000000000)

This is the error received when kiniting the headless keytab:

Keytab contains no suitable keys for while getting initial credentials.


@Debra Montague

Make sure the encryption types are the same , also check that the KVNO (key version number) is the same !

See the syntax here Link


Hi Geoffrey,

Is this the same for creating headless keytabs/principals? We are able to create keytabs with host attributes, the issue is using the same service name to create a headless account. Does the article you pointed to address this?