Sun Enterprise Authentication Mechanism Guide

How to Add a Service Principal to a Keytab

Make sure the principal already exists in the Kerberos database.

See "How to View the List of Principals" for more information.

Become superuser on the host that needs a principal added to its keytab.

Start the kadmin command.
# /usr/krb5/sbin/kadmin

Add a principal to a keytab by using the ktadd command.

kadmin: ktadd [-k keytab] [-q] [principal | -glob principal_exp]

`-k` `keytab`	Specifies the keytab file. By default, `/etc/krb5/krb5.keytab` is used.
`-q`	Displays less verbose information.
`principal`	Principal to be added to the keytab. You can add the following service principals: `host`, `root`, `nfs`, and `ftp`.
`-glob` `principal_exp`	All principals matching the principal expression are added to the keytab. The rules for principal expression are the same as for the `list_principals` command of `kadmin`.

Quit the kadmin command.
kadmin: quit

Example--Adding a Service Principal to a Keytab

The following example adds the kadmin/admin and kadmin/changepw principals to a master KDC's keytab. For this example, the keytab file must be the one specified in the kdc.conf file.

kdc1 # /usr/krb5/bin/kadmin.local
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin@ACME.COM with kvno 3, encryption type DES-CBC-CRC
  added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw@ACME.COM with kvno 3, encryption type DES-CBC-CRC
  added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

The following example adds denver's host principal to denver's keytab file, so denver's network services can be authenticated by the KDC.

denver # /usr/krb5/bin/kadmin
kadmin: ktadd host/denver@acme.com@ACME.COM
kadmin: Entry for principal host/denver@acme.com@ACME.COM with kvno 2,
  encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit