NOTE: Creating a keytab file is easy enough but I have to refresh myself each time so I thought I would document it in a blog post.
I’m assuming for anyone who is doing this that you have your
/etc/krb5.conf in order and that isn’t going to get in your way.
One thing you’re going to want to know is what your permitted and default
enctypes and the realm are from this file. In my case I’m going to use
aes128-cts-hmac-sha1-96 and my realm is
Creating the keytab file
To create the keytab file you’re going to need
ktutil (and a number of other
sudo yum install krb5-workstation
sudo apt-get install krb5-user
Now you have the required programs installed, you can create your keytab file using
This will present you with a prompt for you to add the entries in the keytab file
add_entry -password -p user@DPE.INTERNAL -k 1 -e aes256-cts-hmac-sha1-96 Password for user@DPE.INTERNAL: <enter password here> write_kt user.keytab quit
Breaking this down, we are saying that we want to add an entry to the keytab using a password for authentication.
-p is the principal that we will be logging in as using the end file.
-k refers to the Key Version Number which in some situations isn’t really needed and is ignored (in Windows environment for example). You can get the current Key version number (kvno) by using the
kvno user@DPE.INTERNAL user@DPE.INTERNAL: kvno = 1
-e refers to the enctype mentioned earlier. This needs to be one of those that are permitted in your
krb5.conf file so you’re using an accepted and appropriate encryption.
Testing the Key
We can now test the keytab for successfully login
kinit -kt user.keytab user@DPE.INTERNAL
This should exit normally, then we can check we’ve got a ticket using
klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user@DPE.INTERNAL Valid Starting Expires Service principal 01/23/2019 14:27:28 01/24/2019 00:27:28 user@DPE.INTERNAL
To clear out the ticket, you can use
kdestroy. This will remove all current authentications.