Kerberos
kinit
kinit
kinit PRINCIPAL
kinit -kt ${KEYTAB}.keytab
kinit -kt ${KEYTAB}.keytab PRINCIPAL
klist
klist
klist -kt ${KEYTAB}.keytab
# List encryption types
klist -e
klist -e -kt ${KEYTAB}.keytab
Keytabs
A keytab must be treated like a password. Although it is not in clear text, having access to a keytab is the same as having your password since they can then impersonate you.
Manually Creating Keytab (w/ password)
ktutil
add_entry -password -p [email protected] -k 3 -e aes256-cts-hmac-sha1-96
write_kt
quit
Available Encryption Types
aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
arcfour-hmac
des-cbc-md5
des-cbc-crc
ktutil and Active Directory
- http://kerberos.996246.n3.nabble.com/ktutil-problems-generating-AES-keys-salt-tp41104p41129.html
- http://mailman.mit.edu/pipermail/kerberos/2015-July/020908.html
You cannot specify the salt when using ktutil. What you need to do instead is to specify exactly the same principal that AD uses as salt.
For machine accounts this salting principal is
host/sAMAccountname.domain_name@DOMAIN_NAME
sAMAccountname := the machines samaccountname without "$"
domain_name := name of AD domain name in lowercase
DOMAIN_NAME := name of AD domain name in uppercase
For user accounts this salting principal is username@DOMAIN_NAME
username := first component of userPrincipalname or sAMAccountName if userPrincipalname attribute is not set