test

System Administration Guide: Security Services

ProcedureHow to Add a Kerberos Service Principal to a Keytab File

  1. Make sure that the principal already exists in the Kerberos database.

    See How to View the List of Kerberos Principals for more information.

  2. Become superuser on the host that needs a principal added to its keytab file.

  3. Start the kadmin command. 


    # /usr/sbin/kadmin

  4. Add a principal to a keytab file by using the ktadd command.


    kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]
    -e enctype

    Overrides the list of encryption types defined in the krb5.conf file.

    -k keytab

    Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

    -q

    Displays less verbose information.

    principal

    Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.

    -glob principal-exp

    Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.

  5. Quit the kadmin command.


    kadmin: quit
Example 25–16 Adding a Service Principal to a Keytab File

In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.


denver # /usr/sbin/kadmin
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode
          with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit