Creating a Keytab File

What is a Keytab File (user.keytab) and How is it Created?

A keytab (short for “key table”) file is a file that stores one or more Kerberos principals along with their corresponding secret keys. It enables automated, non-interactive authentication to Kerberos services, making it particularly useful for scripts, CI/CD pipelines, or services that need to authenticate without human intervention.

How is a Keytab File Created?

The user.keytab file is typically created on a system with administrative access to the Kerberos Key Distribution Center (KDC). This is often done using the ktutil tool or similar utilities provided by Kerberos implementations (e.g., MIT Kerberos or Heimdal). Here’s a typical process for creating a keytab file:

1. Identify the Principal: Determine the Kerberos principal for which the keytab will be created (e.g., user@domain.nl).

2. Generate the Keytab:

   • On a system with Kerberos tools installed, you can use the kadmin or kadmin.local tool (if you have admin privileges on the KDC) to extract the key for the principal into a keytab file.

   • Example using kadmin:

     kadmin -p admin@domain.nl
     ktadd -k user.keytab user@domain.nl
     

     This command extracts the key for user@domain.nl and stores it in user.keytab. Alternatively, if you are on the KDC itself, you might use kadmin.local:

     kadmin.local -q "ktadd -k user.keytab user@domain.nl"
     

3. Secure the Keytab: The keytab file contains sensitive data (encrypted keys). It must be protected with strict file permissions (e.g., readable only by the user or service that needs it) and should not be stored in version control.

Keytab files can also be created for service principals (e.g., HTTP/server.domain.nl@domain.nl) for use with services like web servers or automated processes.