Node:Create a kadmind Keytab (optional), Next:Start the Kerberos Daemons, Previous:Add Administrators to the Kerberos Database, Up:Install the Master KDC
The kadmind keytab is the key that the legacy admininstration daemons
kadmind4 and v5passwdd will use to decrypt
administrators' or clients' Kerberos tickets to determine whether or
not they should have access to the database. You need to create the
kadmin keytab with entries for the principals kadmin/admin and
kadmin/changepw. (These principals are placed in the Kerberos
database automatically when you create it.) To create the kadmin
keytab, run kadmin.local and use the ktadd command, as
in the following example. (The line beginning with => is a
continuation of the previous line.):
shell% /usr/local/sbin/kadmin.local
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
=> kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 5, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode
with CRC-32 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5,
encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
kadmin.local: quit
shell%
As specified in the -k argument, ktadd will save the
extracted keytab as
/usr/local/var/krb5kdc/kadm5.keytab.
The filename you use must be the one specified in your kdc.conf
file.