4

I was looking for answer to above question on different web sites but in the every case there was how to generate keytab file. I need keytab to get hbase connection which contains kerberos authentication.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
Michal Kowalczyk
  • 43
  • 1
  • 1
  • 4
  • Hi; If we've answered your question please mark it as such which will verify it to others in the community; otherwise please let us know if any. – T-Heron Apr 07 '17 at 11:38

1 Answers1

7

In order to generate a keytab on Windows, you need to be running some version of Kerberos which talks back to a Directory server. On Windows, by far the most prevalent example of this is Active Directory, which has Kerberos support built-in. You'll need to create the keytab on a Windows server joined to the Active Directory domain, using the ktpass command to actually create the keytab.

Keytab generation syntax example:

ktpass -out centos1-dev-local.keytab -mapUser krbCentos@DEV.LOCAL +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/centos1.dev.local@DEV.LOCAL

The above command example successfully creats a keytab for use in an AD domain named DEV.LOCAL. Note: notice the use of the randomize password syntax (+rndPass). In my opinion, there is no need to specify a password in the keytab creation command syntax. Instead, it's better to allow the password to be randomized - that provides much better security since it prevents anyone from being able to manually logon as the AD account surreptitiously and bypass the keytab.

For additional reference, I highly suggest you read my article on Kerberos keytab creation on the Windows platform on Microsoft Technet which greatly expands on what I said here: Kerberos Keytabs – Explained. I frequently go back and edit it based on questions I see here in this forum.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • And where can I get ktpass.exe on non-Server Windows 10? – Patrick Szalapski Feb 08 '21 at 16:17
  • @PatrickSzalapski - ktpass will not run on Windows 10, that only runs on Windows Server (i.e., Windows Server 2008/2012/2016/2019). – T-Heron Feb 09 '21 at 04:06
  • I am having a very hard time understanding the -mapUser and -princ relationship. Why cant both be the same. I just need a keytab file to get a kerberos ticket from Active Directory KDC using kinit command example (c:\> kinit -kt aduser.keytab aduser@REALM ) so why do I need to bother about mapping two different userids using -mapUser and -princ. Also want to keep the existing password in AD using -pass xyz12345 . – ebeb Jul 01 '22 at 22:06
  • the -princ is the SPN, the -mapUser is the AD account name. – mfinni Jul 15 '22 at 22:30