You can add a principal to a keytab file after ensuring that the principal exists in the Kerberos database. For more information, see Viewing Kerberos Principals and Their Attributes.
On the host that needs a principal added to its keytab file, you run the ktadd command in a kadmin process. For more information, see the kadmin(1M) man page.
# /usr/sbin/kadmin kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]
Overrides the list of encryption types defined in the krb5.conf file.
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.
Displays less verbose information.
Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.
Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin. For the possible expressions, review the expression definition in the kadmin(1M) man page
In this example, denver's host principal is added to denver's keytab file so that the KDC can authenticate denver's network services.
denver # /usr/sbin/kadmin kadmin: ktadd host/denver.example.com Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit