Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

creating keytab file for ldap users

Highlighted

creating keytab file for ldap users

Master Collaborator

with kutil you have to type in user's password to create the keytab file for it . but how can the system admins create these keytab files for LDAP users since they don't know their passwords ?

ktutil:  add_entry -password -p serverdb_user -k 0 -e rc4-hmac-nt
1 REPLY 1

Re: creating keytab file for ldap users

Guru

Hello@Sami Ahmad,

CAUTION: Retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid.

The correct answer depends on which Kerberos implementation you are using.

For MIT KDC, a system admin would use an interface, known as "kadmin" (or an alternative "kadmin.local"), to create keytab for users using 'ktadd' command. ktadd will regenerate key with a random password and then add it to keytab:

# ktadd -k </path/to/file.keytab> <principal-name>

For FreeIPA, an admin would use ipa-getkeytab command. This command can generate keytab with a random or provided password:

# ipa-getkeytab -s <ipaserver.example.com> -p <principal-name> -k </path/to/file.keytab>

For Microsoft AD, an admin should use ktpass command. This command is really useful when you want to generate a keytab for AD service principal to be used in Linux environment. This can also use a given password or a random password (+rndpass):

# ktpass /princ hive/sandbox.hortonworks.com@HWX.COM /pass <password> /mapuser hiveservice /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\hive.service.keytab

Hope this helps!

Don't have an account?
Coming from Hortonworks? Activate your account here