What goes on when using kinit with a keytab file

dorothy picture dorothy · Aug 11, 2014 · Viewed 19.9k times · Source

Wish to get more understanding on the use of kinit and keytab file. For example, if I already have a keytab file generated for a service ( the service registered to active directory by ktpass -mapuser to someuseraccount )

ktab -k "mykeytab" -a <someprincipal>

what really happens under the hood when a user called USERA logs in to Windows and use this keytab as a input parameter for kinit?

kinit -k -t "mykeytab" <someprincipal>

Does the kinit generate initial credentials for someprincipal or for the currently logged in USERA ?

Hope you can clear up this confusion of mine. thanks

Answer

Fred the Magic Wonder Dog picture Fred the Magic Wonder Dog · Aug 12, 2014

This is glossing over many important details, but basically all you ever get from the KDC is an encrypted blob.

The kerberos KDC does not store your password, but a secret key. When you kinit what is going on under the covers is that you are asking the KDC for a ticket to ask for more kerberos tickets, it encrypts that ticket with your secret key.

If you know your secret key, you can unencrypt the blob and use that to access other services.

When you kinit with a password, kerberos uses a "string to key" algorithm to convert your password to the secret key used by the KDC. A keytab is just means for storing the secret key in a local file.

So when you kinit using a keytab, it uses the key in the keytab to decrypt the blob. As far as the kerberos protocol is concerned there really is no difference between using a keytab to kinit and using a password. Both ultimately use the same secret key to decrypt the ticket.

So after you use the keytab for kinit, you have a kerberos ticket of the principal in the keytab. A keytab used with kinit can be thought of as storing a password in a file.