How to Add a Service Principal to a Keytab File
-
Make sure that the principal already exists in the Kerberos database.
See How to View the List of Principals for more information.
-
Become superuser on the host that needs a principal added to its keytab file.
-
Start the kadmin command.
# /usr/sbin/kadmin
-
Add a principal to a keytab file by using the ktadd command.
kadmin: ktadd [-k keytab] [-q] [principal | -glob principal-exp]
-k keytab
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.
-q
Displays less verbose information.
principal
Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.
-glob principal-exp
Specifies the principal expressions. All principals that match the principal.are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.
-
Quit the kadmin command.
kadmin: quit
Example—Adding a Service Principal to a Keytab File
In the following example, the kadmin/admin and kadmin/changepw principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.
kdc1 # /usr/sbin/kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/changepw@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: quit |
In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.
denver # /usr/sbin/kadmin kadmin: ktadd host/denver@example.com@EXAMPLE.COM kadmin: Entry for principal host/denver@example.com@EXAMPLE.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
- © 2010, Oracle Corporation and/or its affiliates