What is a Keytab?

Every host that provides a service must have a local file, called a keytab (short for key table). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself.

What is Kadmin?

kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal kadmin/ADMINHOST (where ADMINHOST is the fully-qualified hostname of the admin server) or kadmin/admin.

How do I view the Kerberos principals list?

How to View the List of Kerberos Principals

1. If necessary, start the SEAM Tool. See How to Start the SEAM Tool for more information.
2. Click the Principals tab. The list of principals is displayed.
3. Display a specific principal or a sublist of principals. Type a filter string in the Filter field, and press Return.

How do I create a user principal in Kerberos?

How to Create a New Kerberos Principal

1. If necessary, start the SEAM Tool.
2. Click the Principals tab.
3. Click New.
4. Specify a principal name and a password.
5. Specify the encryption types for the principal.
6. Specify the policy for the principal.

What is Kinit Kerberos?

kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.

What is Ktpass?

The ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.

How do I start Kadmin?

Start kadmin from a root shell on the secondary KDC.

1. Use the kadmin add_principal command to create a new entry for the secondary KDC’s host service.
2. Use the kadmin ktadd command to set a random key for the service and store the random key in the secondary KDC server’s default keytab file.

What is my Kerberos principal name?

A Kerberos Principal represents a unique identity in a Kerberos system to which Kerberos can assign tickets to access Kerberos-aware services. Principal names are made up of several components separated by the “/” separator. You can also specify a realm as the last component of the name by using the “@” character.

How do I check my Kerberos ticket?

To view or delete Kerberos tickets you can use the Kerberos List (Klist.exe). The Klist.exe is a command-line tool you can find in the Kerberos resource kit. You can only use it to check and delete tickets from the current logon session. We recommend destroying your Kerberos tickets after your use.

What is a principal Kerberos?

How do you add principal and Keytab in Kerberos?

Creating a Kerberos principal and keytab files

1. Log on as theKerberos administrator (Admin) and create a principal in the KDC. You can use cluster-wide or host-based credentials.
2. Obtain the key of the principal by running the subcommand getprinc principal_name .
3. Create the keytab files, using the ktutil command:

How do I add a new principal to a policy?

This function creates the new principal, prompting twice for a password, and, if neither the -policy nor -clearpolicy options are specified and the policy “default” exists, assigns it that policy. The syntax is: kadmin:add_principal [options] principal

What does addadd_principal do?

add_principal [ options] newprinc Creates the principal newprinc, prompting twice for a password. If no password policy is specified with the -policy option, and the policy named default is assigned to the principal if it exists. However, creating a policy named default will not automatically assign this policy to previously existing principals.

How do I add a principal to the database?

To add a principal to the database, use the kadmin add_principalcommand, which requires the “add” administrative privilege. This function creates the new principal, prompting twice for a password, and, if neither the -policy nor -clearpolicy options are specified and the policy “default” exists, assigns it that policy.