The Kerberos Keytab file type, file format description, and Mac, Windows, and Linux programs listed on this page have been individually researched and verified by the FileInfo team. We strive for 100% accuracy and only publish information about file formats that we have tested and validated. The GlobalProtect™ app for Mac endpoints now supports Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO maintains a seamless logon experience by providing accurate User-ID™ information without user interaction. Dec 30, 2019 In this configuration we will setup few things like, domain names, KDC setup, logging, default keytab etc. Kerberos authentication looks up for the /etc/krb5.conf file which is default kerberos configuration location in MAC OS and we will create this file if it does not exist. If this file already exists then we can use the existing kerberos. To generate the keytab file and map the service principal name: Note: These steps assume that the server user is krbsrv and the domain is example.com. Open a command window by selecting Start, Run and then entering cmd in the Open field. One keytab file can store multiple keys, either multiple keys for the same service principal or even keys for several different service principals. On a UNIX system, you can view the contents of a keytab with the klist -k command. Applications that need to authenticate to network services on an automated basis also need to have service.
How To Generate Keytab File For Mac Windows 10
Objective
To add a host or service principal to a keytab using MIT Kerberos
Background
A keytab is a file used to store the encryption keys for one or more Kerberos principals (usually host and/or service principals). Given one of these keys it is possible to obtain a ticket-granting ticket, so having an encryption key can be equated to having a password. Whenever a host or service principal is created it is normal practice to add it to a keytab.
Kerberos hosts usually have a default keytab with the pathname
/etc/krb5.keytab . The host principal should be added to this keytab, but it is not necessarily suitable for use with service principals. The reason is that /etc/krb5.keytab should be readable only by root, whereas on modern systems it is common for network services to execute as a non-root user. The only secure solution to this issue is to have multiple keytabs, each owned by the user that needs access to it.
Scenario
Suppose you wish to allow authentication to the web site
http://www.example.com/ using Kerberos. You have created a service principal called HTTP/[email protected] for this purpose, and now need to add it to a keytab.
The web site is served using Apache running as the user
www-data . The default keytab cannot therefore be used, and you have chosen to create a separate one for use by Apache at the pathname /etc/apache2/http.keytab .
Prerequisites
The method described here assumes that you already have:
It is not necessary for the keytab file to exist beforehand because it will be created if necessary.
To create a service principal see the microHOWTO Create a service principal using MIT Kerberos.
Method
A host or service principal can be added to a new or existing keytab using the
ktadd command of kadmin :
The
-q option specifies a kadmin command to be executed, in this case ktadd .
The
-k option of ktadd specifies the pathname of the keytab to which the host or service principal is to be added. If the absence of this option the default keytab at /etc/krb5.keytab is used instead. If the specified keytab does not exist then it will be created.
By default
kadmin appends /admin to your default principal or username and attempts to authenticate to the admin server using that. You can specify an alternative admin principal using the -p option if required.
You do not need to be
root to run kadmin , however if you are not root then it will probably not be on your path. A common location for the executable is /usr/sbin/kadmin .
It is often convenient to run
kadmin on the machine for which the keytab is needed, however you should do this only if you are willing to trust that machine with administrative rights to the realm as a whole. Otherwise, choose a machine that you do trust (such as the KDC). If you transfer a keytab from one machine to another then you should use a secure method such as scp .
On Debian-based systems
kadmin is provided by the krb5-user package, whereas on Red Hat-based systems it is provided by the krb5-workstation package.
TestingList the content of the keytab
You can list the content of a keytab using the
ktutil command:
This will start an interpreter to which the following two commands should be issued:
If the keytab exists and the host or service principal has been correctly added to it then you should see output similar to the following:
Send an EOT character (control-D) to exit from
ktutil .
How To Generate Keytab File For Mac FreeObtain a ticket-granting ticket using the keytab
You can check that the keytab contains the appropriate encryption key by attempting to use it to obtain a ticket-granting ticket. This can be done using the
kinit command:
If the keytab exists and the host or service principal has been correctly added to it then
kinit should return immediately, without requesting a password and without printing a message. You can verify that a ticket-granting ticket was obtained using klist , which should product output similar to the following:
Once you are satisfied that the keytab is working you should destroy the ticket using the
kdestroy command.
How To Create Keytab FileNote
The act of creating a keytab has the side effect of setting a new encryption key for the host or service principal. This will cause any keytab that may previously have been created for that host or service principal to be invalidated. You can check whether a keytab entry has been superseded in this way by comparing the Key Version Number (KVNO) within the keytab with that considered current by the KDC.
You should not normally need more than one keytab for any given host or service principal, however this can be a requirement for some types of clustering. In that case the appropriate procedure is to create the keytab once using
kadmin then distribute copies to any other machines that need one.
See alsoFurther reading
How To Generate Keytab File For Mac Windows 10
Tags:kerberos
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |