Next: , Previous: Create Host Keys for the Slave KDCs, Up: Install the Slave KDCs



4.1.2.2 Extract Host Keytabs for the KDCs

Each KDC (including the master) needs a keytab to decrypt tickets. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab on a KDC called kerberos.mit.edu, you would execute the following command:

     kadmin: ktadd host/kerberos.mit.edu
     kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with
          kvno 1, encryption type DES-CBC-CRC added to keytab
          WRFILE:/etc/krb5.keytab.
     kadmin:

Note that the principal must exist in the Kerberos database in order to extract the keytab.