Support Questions

Find answers, ask questions, and share your expertise

spnego.keytab gets corrupted

avatar
Explorer

We have a requirement to add two principals to a keytab file and one of them is the HTTP principal.

When i regenerate the keytabs through ambari and run the following command i get a valid ticket

kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM

Now i need to add the HTTP principal to a user keytab so i run the following commands

kadmin.local -q "ktadd -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"

After i add the principal run the kinit using spnego.service.keytab (below command) i get an error saying "kinit: Password incorrect while getting initial credentials". Could anyone help me why the spnego keytab gets corrupted if i add a principal to a different keytab?

"kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM"

Thanks in advance!!

1 ACCEPTED SOLUTION

avatar
Expert Contributor

This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:

kadmin.local: get_principal <principal_name> the kvno is different than the one in spnego.service.keytab (by doing klist -kte <keytab>)

The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.

Hope this helps.

View solution in original post

4 REPLIES 4

avatar
Expert Contributor

This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:

kadmin.local: get_principal <principal_name> the kvno is different than the one in spnego.service.keytab (by doing klist -kte <keytab>)

The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.

Hope this helps.

avatar
Explorer

Thanks for the solution.Its working good so far.

avatar
@infa elance

The issue is as described by @mrodriguez; however, the real solution is to use the -norandkey option to the ktadd function. This way the key for the principal you want add to the keytab file will not be updated.

kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"

I assume this is a better option since you may want to have the keytab entry for some user's principal in that file as well.

Note: the -norandkey option is only available when using kadmin.local. It is not an option for the general kadmin utility.

Another option is to use the ktuil utility to read in multiple keytab files and write out a new one. See https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html.

avatar
Explorer

Thanks Robert!! I will try the -norandkey next time.