Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

keytab creation/KDC is AD

Rising Star


We have Kerberos, AD as KDC. I want to generate the keytabs for service accounts.

kadmin -r <ad-domain> -p CN=kadmin,OU=Service Accounts,DC=xxxx,DC=xxxx,DC=com -w xxxxxxx -s ADSever kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

Kindly Suggest if any solution??


Mamta Chawla


Super Collaborator

Hi @Mamta Chawla,

Prior to retive your keytabs form the host, you need to ensure that, host is prepared to connect to KDC.

by default the configuraton details can be found at /etc/krb5.conf file, so after installing the krb5-workstation (krb5-client in SLES).

 ticket_lifetime = 24000
 default_realm = <YOUR_REALM>
 dns_lookup_realm = false
 dns_lookup_kdc = false
  kdc = <YOUR_AD_SERVER1>:88
  kdc = <YOUR_AD_SERVER2>:88

 #######Replace with your REALM Name

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

alter natively you can copy the same file from the host which is already configured for kerberos client.

once after that, you may use the above command to retrieve the keytabs.

however, please note that, you must have access to retrieve the keytabs from that host and user.

for additional details please follow the instructions given at :

for more on step by step instructions you may refer here

@Mamta Chawla

You cannot use the MIT Kerberos kadmin to create accounts in an Active Directory. That tool is only for use with the MIT KDC. To create accounts in an Active Directory, you will need to use Active Directory-specific tools. However, you can use a similar process that Ambari uses to create accounts in an Active Directory and then manually build the keytab files. This requires the use of the OpenLDAP ldapadd and ldapmodify tools as well as the ktutil command.


On top of this, you will need to make sure your krb5.conf file is correct in order for you to test it out. The krb5.conf file is not needed to create the AD account if you are using LDAP to do the work.