Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Administering Keytab Files

Every host that provides a service must have a local file, called a keytab file, which is short for “key table”. The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains the service key for the nfs service principal.

To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command in a kadmin process. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database. On application servers that provide Kerberized services, the keytab file is /etc/krb5/krb5.keytab by default.

A keytab is analogous to a user's password. Just as users must protect their passwords, application servers must protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.

Special circumstances can require you to add a root principal to a host's keytab file. If you want a user on a Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter.


Caution  -  Mounting NFS servers as root is a security risk.

You can also use the ktutil command to administer keytab files. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because this command does not interact with the Kerberos database as kadmin does. After a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.

Note -  When you change a principal in a keytab file by using the ktadd command in kadmin, a new key is generated and added to the keytab file.