Name
ext_keytab — Adding keys into keytabs
Synopsis
ext_keytab [-k keytab] glob-pattern ...
Aliases
ext
The ext_keytab
command creates a random key for a principal or
set of principals in the Kerberos database, and returns those
keys to the client so that they can be saved into a keytab file
on the client machine. This command is used to create keytabs
for service and host principals in a Kerberos realm.
Note that ext_keytab
will not extract the current key from the Kerberos database; it
instead creates a new, random key and return it, incrementing
the key version number to indicate that a new key has been
generated. This is a deliberate design decision, as it prevents
a rogue administrator from simply dumping the entire Kerberos
database through kadmin. It also means that the old keys or
passwords assigned to this principal will no longer be valid
once ext_keytab
is run on the
principal, and you cannot run ext_keytab
from more than one system
on the same principal since they will receive different
keys.
The only optional parameter that ext_keytab
understands is -k
to place the key into a different
keytab than the default, /etc/krb5.keytab.
Any number of principal names or glob patterns matching
principals can follow the command; all of the principals that
match the list given will be appended to the keytab file.
The ext_keytab
command
requires that the administrator have get privileges on the
principal(s) he is extracting.
Example
kadmin> ext_keytab -k /tmp/hostkey host/desktop.wedgie.org ...
Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.