How to create a kerberos keytab on Active Directory for Red Hat Enterprise Linux

Environment

• Red Hat Enterprise Linux 5
• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 7
• Windows Server 2008
• Windows Server 2003

Issue

How to create a kerberos keytab on Active Directory for Red Hat Enterprise Linux servers

Resolution

1. In the Active Directory Users and Computers MMC tool create a new computer in the CN=Computers tree.

2. Create forward and reverse dns records for the newly added computer.

3. Using an Admin account use the "run as Administrator" option when launching a Command Prompt.

4. Add a service principle name to the computer account.
   Windows 2008

    setspn -A host/f.q.d.n@$REALM computername
   

   Windows 2003

    "c:\Program Files\Support Tools\setspn" -A host/f.q.d.n@$REALM computername
   

5. Use the windows ktpass tool to create a keytab. This process will also set the User Principle Name for the computer object.
   Windows 2008

    ktpass /princ host/f.q.d.n@REALM /out krb5.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser ADSHORTNAME\computername$ +setupn +rndPass +setpass +answer
   

   Windows 2003

    "c:\Program Files\Support Tools\ktpass" /princ host/f.q.d.n@REALM /out krb5.keytab /mapuser ADSHORTNAME\computername$ /mapop set +rndpass /crypto RC4-HMAC-NT /pytpe KRB5_NT_PRINCIPAL +answer
   

6. copy the newly created krb5.keytab file on the windows server to /etc/krb5.keytab on the RHEL server. If selinux is enabled run restorecon on the file.

    restorecon /etc/krb5.keytab
   

7. If you would like to test this keytab you can run the following on the RHEL system. The klist should show a tgt ticket that was obtained by the host/f.q.d.n principle.

    kinit -k host/f.q.d.n@$REALM
    klist
   

[1] Note for Windows 2003:
Windows 2003 does not have the setspn or ktpass tools installed but default. These can be found on CD1 of the install media. The suptools.msi installer can be found under the support\tools area of the cd. By default the tools will be installed in the c:\Program Files\Support Tools\ directory.

Example

Windows Server 2008 R2

c:\> setspn -A host/rhel6-2k8-sssd.2k8r2domain.gss rhel6-2k8-sssd
Registering ServicePrincipalNames for CN=rhel6-2k8-sssd,CN=Computers,DC=2k8r2domain,DC=gss
        host/rhel6-2k8-sssd.2k8r2domain.gss
Updated object

c:\> ktpass /princ host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS /out rhel6-2k8-sssd.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser 2K8R2DOMAIN\rhel6-2k8-sssd$ +setupn +rndPass +answer
Targeting domain controller: win2k8sp1-64.2k8r2domain.gss
Successfully mapped host/rhel6-2k8-sssd.2k8r2domain.gss to RHEL6-2K8-SSSD$.
WARNING: Account RHEL6-2K8-SSSD$ is not a user account (uacflags=0x1021).
WARNING: Resetting RHEL6-2K8-SSSD$'s password may cause authentication problems if RHEL6-2K8-SSSD$ is being used as a server.

Reset RHEL6-2K8-SSSD$'s password [y/n]?  auto:
YES
Password succesfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to rhel6-2k8-sssd.keytab:
Keytab version: 0x502
keysize 78 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2a8c3def80fbdce9)
keysize 78 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x2a8c3def80fbdce9)
keysize 86 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x5ab9a194a2bdb59a12cb734a10da27f0)
keysize 102 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xa430521c89dfc17fd959fc2dbf595b73d71cd2b77047434fee0b3f85ef5739f2)
keysize 86 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x3d36aeca56cbeeb62ee20d0cb5400d81)

c:\> "c:\Program Files (x86)\PuTTY\pscp.exe" rhel6-2k8-sssd.keytab root@rhel6-2k8-sssd.2k8r2domain.gss:/etc/krb5.keytab
root@rhel6-2k8-sssd.2k8r2domain.gss's password:
rhel6-2k8-sssd.keytab     | 0 kB |   0.4 kB/s | ETA: 00:00:00 | 100%

RHEL6 Server

[root@rhel6-2k8-sssd ~]# ls -laZ /etc/krb5.keytab
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/krb5.keytab
[root@rhel6-2k8-sssd ~]# restorecon /etc/krb5.keytab
[root@rhel6-2k8-sssd ~]# ls -laZ /etc/krb5.keytab
-rw-r--r--. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
[root@rhel6-2k8-sssd ~]# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS
   3 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS
   3 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS
   3 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS
   3 host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS
[root@rhel6-2k8-sssd ~]# kinit -k host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS
[root@rhel6-2k8-sssd ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/rhel6-2k8-sssd.2k8r2domain.gss@2K8R2DOMAIN.GSS

Valid starting     Expires            Service principal
09/14/12 17:13:34  09/15/12 03:13:37  krbtgt/2K8R2DOMAIN.GSS@2K8R2DOMAIN.GSS
	renew until 09/21/12 17:13:34

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.