Adding Principals to Keytabs
To generate a keytab, or to add a principal to an existing keytab, use
the ktadd
command from kadmin
, which requires the
"inquire" administrative privilege. (If you use the -glob
princ_exp option, it also requires the "list" administrative
privilege.) The syntax is:
ktadd [-k[eytab] keytab] [-q] [-e
key:salt_list] [principal | -glob princ_exp]
[...]
The ktadd
command takes the following switches:
- -k[eytab] keytab
- use keytab as the keytab file. Otherwise,
ktadd
will use the
default keytab file (/etc/krb5.keytab
).
- -e "enc:salt..."
- Uses the specified list of enctype-salttype pairs for setting the key
of the principal. The quotes are necessary if there are multiple
enctype-salttype pairs. This will not function against kadmin daemons
earlier than krb5-1.2. See Supported Encryption Types and
Salts for all possible values.
- -q
- run in quiet mode. This causes
ktadd
to display less verbose
information.
- principal | -glob principal expression
- add principal, or all principals matching principal expression
to the keytab. The rules for principal expression are the same as
for the kadmin
list_principals
(see Retrieving a List of Principals) command.
Here is a sample session, using configuration files that enable only
des-cbc-crc
encryption. (The line beginning with => is a
continuation of the previous line.)
kadmin: ktadd host/[email protected]
kadmin: Entry for principal host/[email protected] with
kvno 2, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin:
kadmin: ktadd -k /usr/local/var/krb5kdc/kadmind.keytab
=> kadmin/admin kadmin/changepw
kadmin: Entry for principal kadmin/[email protected] with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
kadmin: