Every host that provides a service must have a local file, called a keytab (short for key table). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself.

What is principal in Keytab?

Every host that provides a service must have a local file, called a keytab (short for key table). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself.

Can Keytab be shared?

Application can use the keytab to get the ticket for itself or on some user’s behalf if the service account is allowed to delegate or impersonate. They are stored on secure location with access to very specific services/users. Sharing keytab among different users is very odd case and doesn’t look practical.

How do I add a principal to Keytab?

How to Add a Kerberos Service Principal to a Keytab File

  1. Make sure that the principal already exists in the Kerberos database.
  2. Become superuser on the host that needs a principal added to its keytab file.
  3. Start the kadmin command.
  4. Add a principal to a keytab file by using the ktadd command.
  5. Quit the kadmin command.

What is Kerberos Keytab principal?

The Kerberos Keytab file contains mappings between Kerberos Principal names and DES-encrypted keys that are derived from the password used to log into the Kerberos Key Distribution Center (KDC).

How do you list principals in Kerberos?

How to View the List of Kerberos Principals

  1. If necessary, start the SEAM Tool. See How to Start the SEAM Tool for more information.
  2. Click the Principals tab. The list of principals is displayed.
  3. Display a specific principal or a sublist of principals. Type a filter string in the Filter field, and press Return.

How do I add principals to Kerberos?

How to Create a New Kerberos Principal

  1. If necessary, start the SEAM Tool.
  2. Click the Principals tab.
  3. Click New.
  4. Specify a principal name and a password.
  5. Specify the encryption types for the principal.
  6. Specify the policy for the principal.

Does Keytab expire?

As you know the tickets are only valid between a somewhat short amount, typically between 12 and 24 hours, however the keytab is valid as long as you find it valid.

Does Keytab contain password?

A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password.

What is Ktutil command?

The ktutil command is an interactive command-line interface utility for managing the keylist in keytab files. You must read in a keytab’s keylist before you can manage it. Also, the user running the ktutil command must have read/write permissions on the keytab.

How do I create a Kinit Keytab file?

Creating a keytab file for the Kerberos service account (using the ktutil command on Linux)

  1. Start the ktutil tool by invoking it from the command line without any arguments.
  2. Enter the password that you used when creating the Spotfire database account.
  3. Verify the created keytab by running the klist and kinit utilities:

What is Kinit Keytab?

When you kinit with a password, kerberos uses a “string to key” algorithm to convert your password to the secret key used by the KDC. A keytab is just means for storing the secret key in a local file. So when you kinit using a keytab, it uses the key in the keytab to decrypt the blob.

What is IPA Keytab?

A keytab is a file with one or more secrets (or keys) for a Kerberos principal. A Kerberos service principal is a Kerberos identity that can be used for authentication. Service principals contain the name of the service, the hostname of the server, and the realm name.