What is needed to generate kerberos keytab file on windows?
Asked Answered
F

1

6

I was looking for answer to above question on different web sites but in the every case there was how to generate keytab file. I need keytab to get hbase connection which contains kerberos authentication.

Frolic answered 1/4, 2017 at 6:30 Comment(1)
Hi; If we've answered your question please mark it as such which will verify it to others in the community; otherwise please let us know if any.Prefecture
P
10

In order to generate a keytab on Windows, you need to be running some version of Kerberos which talks back to a Directory server. On Windows, by far the most prevalent example of this is Active Directory, which has Kerberos support built-in. You'll need to create the keytab on a Windows server joined to the Active Directory domain, using the ktpass command to actually create the keytab.

Keytab generation syntax example:

ktpass -out centos1-dev-local.keytab -mapUser [email protected] +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/[email protected]

The above command example successfully creats a keytab for use in an AD domain named DEV.LOCAL. Note: notice the use of the randomize password syntax (+rndPass). In my opinion, there is no need to specify a password in the keytab creation command syntax. Instead, it's better to allow the password to be randomized - that provides much better security since it prevents anyone from being able to manually logon as the AD account surreptitiously and bypass the keytab.

For additional reference, I highly suggest you read my article on Kerberos keytab creation on the Windows platform on Microsoft Technet which greatly expands on what I said here: Kerberos Keytabs – Explained. I frequently go back and edit it based on questions I see here in this forum.

Prefecture answered 2/4, 2017 at 0:27 Comment(4)
And where can I get ktpass.exe on non-Server Windows 10?Raila
@PatrickSzalapski - ktpass will not run on Windows 10, that only runs on Windows Server (i.e., Windows Server 2008/2012/2016/2019).Prefecture
I am having a very hard time understanding the -mapUser and -princ relationship. Why cant both be the same. I just need a keytab file to get a kerberos ticket from Active Directory KDC using kinit command example (c:\> kinit -kt aduser.keytab aduser@REALM ) so why do I need to bother about mapping two different userids using -mapUser and -princ. Also want to keep the existing password in AD using -pass xyz12345 .Doloroso
the -princ is the SPN, the -mapUser is the AD account name.Scapolite

© 2022 - 2024 — McMap. All rights reserved.