with kutil you have to type in user's password to create the keytab file for it . but how can the system admins create these keytab files for LDAP users since they don't know their passwords ?
ktutil: add_entry -password -p serverdb_user -k 0 -e rc4-hmac-nt
CAUTION: Retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid.
The correct answer depends on which Kerberos implementation you are using.
For MIT KDC, a system admin would use an interface, known as "kadmin" (or an alternative "kadmin.local"), to create keytab for users using 'ktadd' command. ktadd will regenerate key with a random password and then add it to keytab:
# ktadd -k </path/to/file.keytab> <principal-name>
For FreeIPA, an admin would use ipa-getkeytab command. This command can generate keytab with a random or provided password:
# ipa-getkeytab -s <ipaserver.example.com> -p <principal-name> -k </path/to/file.keytab>
For Microsoft AD, an admin should use ktpass command. This command is really useful when you want to generate a keytab for AD service principal to be used in Linux environment. This can also use a given password or a random password (+rndpass):
# ktpass /princ hive/sandbox.hortonworks.com@HWX.COM /pass <password> /mapuser hiveservice /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\hive.service.keytab
Hope this helps!