What is needed to generate kerberos keytab file on windows?

Michal Kowalczyk picture Michal Kowalczyk · Apr 1, 2017 · Viewed 8.7k times · Source

I was looking for answer to above question on different web sites but in the every case there was how to generate keytab file. I need keytab to get hbase connection which contains kerberos authentication.

Answer

T-Heron picture T-Heron · Apr 2, 2017

In order to generate a keytab on Windows, you need to be running some version of Kerberos which talks back to a Directory server. On Windows, by far the most prevalent example of this is Active Directory, which has Kerberos support built-in. You'll need to create the keytab on a Windows server joined to the Active Directory domain, using the ktpass command to actually create the keytab.

Keytab generation syntax example:

ktpass -out centos1-dev-local.keytab -mapUser [email protected] +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/[email protected]

The above command example successfully creats a keytab for use in an AD domain named DEV.LOCAL. Note: notice the use of the randomize password syntax (+rndPass). In my opinion, there is no need to specify a password in the keytab creation command syntax. Instead, it's better to allow the password to be randomized - that provides much better security since it prevents anyone from being able to manually logon as the AD account surreptitiously and bypass the keytab.

For additional reference, I highly suggest you read my article on Kerberos keytab creation on the Windows platform on Microsoft Technet which greatly expands on what I said here: Kerberos Keytabs – Explained. I frequently go back and edit it based on questions I see here in this forum.