Our AD team created a headless keytab without HOST attribute and the keytab with same service account name with HOST attribute broke and the headless keytab doesn't work. What is the appropriate syntax for creating headless keytabs in AD? We created it as follows:
C:\Users\adminname>ktpass /princ firstname.lastname@example.org /pass securepassword /mapuser serviceaccountname /pType KRB5_NT_PRINCIPA
L /out serviceaccountname_headless.keytab
Targeting domain controller: hostname.domain.com
Failed to set property 'servicePrincipalName' to 'serviceaccountname' on Dn 'CN=serviceaccountname,OU=Hadoop,OU=Secure,OU=Secure,OU=Secure,DC=domain,DC=com': 0x13.
WARNING: Unable to set SPN mapping data.
If serviceaccountname already has an SPN mapping installed for serviceaccountname, this is no cause for concern.
Password successfully set!
Output keytab to serviceaccountname_headless.keytab:
Keytab version: 0x502
keysize 57 email@example.com ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (A000000000000000000)
This is the error received when kiniting the headless keytab:
Keytab contains no suitable keys for firstname.lastname@example.org while getting initial