1. Use klist to display the keytab file entries:
klist -e -k -t mykeytabfile.keytab
or klist -ekt nsupdateuser.ktab
or type command:
klist -e -k -t mykeytabfile.keytab
or klist -ekt nsupdateuser.ktab
#ktutil # execute this command
ktutil: # this prompt will appear
ktutil: read_kt /etc/apache2/http.keytab #read keytab file
ktuilt: list #list all princples
example:
[root@customer-prod-util-101 utilscripts]# klist -e -k -t nsupdateuser.ktab
Keytab name: FILE:nsupdateuser.ktab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 09/08/15 21:50:45 nsupdate@site1.example.com (aes256-cts-hmac-sha1-96)
[root@customer-prod-util-101 utilscripts]#
2. Following is an example of the keytab file creation process using kerberos method :
> ktutil
ktutil: addent -password -p username@example.com -k 1 -e rc4-hmac
Password for username@example.com: [enter your password]
ktutil: addent -password -p username@example.com -k 1 -e aes256-cts
Password for username@example.com: [enter your password]
ktutil: wkt username.keytab
ktutil: quit
Following is an example using Heimdal Kerberos:
> ktutil -k username.keytab add -p username@example.com -e arcfour-hmac-md5 -V 1
3. Obtain a ticket-granting ticket using the keytab for testing:
You can check that the keytab contains the appropriate encryption key by attempting to use it to obtain a ticket-granting ticket. This can be done using the kinit command:
#kinit -k -t /etc/nsupdateuser.keytab nsupdate@example.com # here nsupdate is username exiting in AD. this has privileges to update dns records on win DNS.
#klist <#will show if ticket is created or not
example :
[root@customer-prod-util-101 ~]# kinit -k -t /root/utilscripts/nsupdateuser.ktab nsupdate # uses default domain
[root@customer-prod-util-101 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nsupdate@site1.example.com
Valid starting Expires Service principal
12/24/15 05:29:49 12/24/15 15:29:49 krbtgt/site1.example.com@site1.example.com
renew until 12/31/15 05:29:49
[root@customer-prod-util-101 ~]#
Or try to login to test if keytab file works :
Test with out keytab file:
#kinit username@MYDOMAIN.COM
password> // pass password of username
Test with keytab file:
#kinit username@MYDOMAIN.COM -k -t username.keytab
4. Using a keytab to authenticate scripts:
To execute a script so it has valid Kerberos credentials, use:
> kinit username@example.com -k -t mykeytab; myscript
list out principle :
>ktutil
ktutil: rkt nsupdateuser.ktab
ktuilt: list
5. Merging keytab files:
> ktutil
ktutil: read_kt mykeytab-1
ktutil: read_kt mykeytab-2
ktutil: read_kt mykeytab-3
ktutil: write_kt krb5.keytab
ktutil: quit
6. Delete principle:
#ktuil
ktutil: rkt
ktuilt: list
ktutil: delete_entry slot-number
ktuilt: wkt
ktuilt: quit
7. Destroy cached ticket:
kdestroy -A //all cache will be destroyed
kdestroy -C
#kdestroy -c "FILE:/tmp/krb5cc_0"
No comments:
Post a Comment