How to create a keytab file for a Kerberos user logging into Active Directory. What's a keytab file? It's basically a file that contains a table of user accounts, with an encrypted hash of the user's password. Why have a keytab file? Well, when you want a server process to automatically logon to Active Directory on startup, you have two options: type the password (in clear text) into a config file somewhere, or store an encrypted hash of the password in a keytab file. Which is safer? Well, you can decide. In any case, you'd better do a good job of protecting the file (be it a config file or a keytab).
Anyway, the accepted way to store a hashed password in Kerberos is to use a keytab file. Now the file can be created using a number of utilities. On a Windows machine, you can usektpass.exe
Before I demonstrate how to create the keytab, a word about encryption. There are a number of encryption types used for hashing a password. These include DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC and a few others. Active Directory uses RC4-HMAC by default. Back in Windows 2000, you could also use the DES types without any trouble, but since Windows 2003, only RC4-HMAC is supported, unless you make a registry change (to all of your domain controllers). If you need to use DES for some reason, then refer to the Technet article at the bottom of the page.
Before attempting to create a keytab file, you'll need to know the user's kerberos principal name, in the form of [email protected], and the user's password.
Creating a KeyTab on Windows(tested on Windows Server 2008 R2)
Open a command prompt and type the following command:
Open a terminal window and type the following commands:![Create keytab file linux Create keytab file linux](https://1.bp.blogspot.com/-anY30VvO9mA/XgnrWdKuXwI/AAAAAAAAAGE/zMEe7RnED0o6lfleQZZA7CCSakxFu5rpQCLcBGAsYHQ/s1600/Ticket-viewer.png)
ktutil
addent -password -p [email protected] -k 1 -e RC4-HMAC
![File File](https://flylib.com/books/4/395/1/html/2/images/220fig01.jpg)
wkt username.keytab
q
Testing the Keytab File
Now in order to test the keytab, you'll need a copy of kinit. You can use the version that's on Ubuntu, or if on Windows, you can install the latest Java runtime from Sun (JRE). In either case, you'll need to setup your /etc/krb5.conf file (on Linux) or c:windowskrb5.ini (on Windows). Either file should look something like this:
[libdefaults]
default_realm = MYDOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MYDOMAIN.COM = {
kdc = mydomain.com:88
admin_server = mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
Once you've got your Kerberos file setup, you can use kinit to test the keytab. First, try to logon with your user account without using the keytab:
kinit username@MYDOMAIN.COM
- enter the password -
If that doesn't work, your krb5 file is wrong. If it does work, now try the keytab file:
kinit
Now you should successfully authenticate without being prompted for a password. Success!
More Information
Anyway, the accepted way to store a hashed password in Kerberos is to use a keytab file. Now the file can be created using a number of utilities. On a Windows machine, you can usektpass.exe
- Jan 24, 2020 The keytab file is a binary file, so be sure to transfer it in a way that does not corrupt it. If possible, use SCP or another secure method to transfer the keytab between computers. If you have to use FTP, be sure to issue the bin command from your FTP client before transferring the file.
- This is the account used to generate the Kerberos keytab file that is added to the Zimbra server. Go to the Active Directory Start ProgramsAdministrative ToolsActive Directory Users and Computers console.
- The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (Create the Database) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk.
Winning eleven 8 pc completo. The KEYTAB file format stores pairs of Kerberos principals along with encrypted copies of those principals’ keys. It authenticates the principal on a host. How to open a KEYTAB file You need a suitable software like Kerberos from Massachusetts Institute of Technology to open a KEYTAB file. A keytab is a file used to store the encryption keys for one or more Kerberos principals (usually host and/or service principals). Given one of these keys it is possible to obtain a ticket-granting ticket, so having an encryption key can be equated to having a password.
. On Ubuntu Linux, you can use ktutil.Before I demonstrate how to create the keytab, a word about encryption. There are a number of encryption types used for hashing a password. These include DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC and a few others. Active Directory uses RC4-HMAC by default. Back in Windows 2000, you could also use the DES types without any trouble, but since Windows 2003, only RC4-HMAC is supported, unless you make a registry change (to all of your domain controllers). If you need to use DES for some reason, then refer to the Technet article at the bottom of the page.
Before attempting to create a keytab file, you'll need to know the user's kerberos principal name, in the form of [email protected], and the user's password.
Creating a KeyTab on Windows(tested on Windows Server 2008 R2)
Open a command prompt and type the following command:
ktpass /princ[email protected] /pass password /ptype KRB5_NT_PRINCIPAL /out username.keytab
Creating a KeyTab on Ubuntu Linux (tested on Ubuntu 10.10 - Maverick Meerkat)Open a terminal window and type the following commands:
![Create keytab file linux Create keytab file linux](https://1.bp.blogspot.com/-anY30VvO9mA/XgnrWdKuXwI/AAAAAAAAAGE/zMEe7RnED0o6lfleQZZA7CCSakxFu5rpQCLcBGAsYHQ/s1600/Ticket-viewer.png)
ktutil
addent -password -p [email protected] -k 1 -e RC4-HMAC
Create Keytab File Linux
- enter password for username -![File File](https://flylib.com/books/4/395/1/html/2/images/220fig01.jpg)
wkt username.keytab
q
Testing the Keytab File
Now in order to test the keytab, you'll need a copy of kinit. You can use the version that's on Ubuntu, or if on Windows, you can install the latest Java runtime from Sun (JRE). In either case, you'll need to setup your /etc/krb5.conf file (on Linux) or c:windowskrb5.ini (on Windows). Either file should look something like this:
[libdefaults]
default_realm = MYDOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MYDOMAIN.COM = {
kdc = mydomain.com:88
admin_server = mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
Once you've got your Kerberos file setup, you can use kinit to test the keytab. First, try to logon with your user account without using the keytab:
kinit username@MYDOMAIN.COM
- enter the password -
If that doesn't work, your krb5 file is wrong. If it does work, now try the keytab file:
kinit
How To Create Keytab File
username@MYDOMAIN.COMHow To Generate Keytab File For Mac Windows 7
-k -t username.keytabNow you should successfully authenticate without being prompted for a password. Success!
More Information