Make sure that the principal already exists in the Kerberos database.
See How to View the List of Principals for more information.
Become superuser on the host that needs a principal added to its keytab file.
Start the kadmin command.
# /usr/sbin/kadmin |
Add a principal to a keytab file by using the ktadd command.
kadmin: ktadd [-k keytab] [-q] [principal | -glob principal-exp] |
-k keytab |
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used. |
-q |
Displays less verbose information. |
principal |
Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp. |
-glob principal-exp |
Specifies the principal expressions. All principals that match the principal.are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin. |
Quit the kadmin command.
kadmin: quit |
In the following example, the kadmin/admin and kadmin/changepw principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.
kdc1 # /usr/sbin/kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/changepw@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: quit |
In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.
denver # /usr/sbin/kadmin kadmin: ktadd host/denver@example.com@EXAMPLE.COM kadmin: Entry for principal host/denver@example.com@EXAMPLE.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |