Next: , Previous: Keytabs, Up: Keytabs



6.1.1 Adding Principals to Keytabs

To generate a keytab, or to add a principal to an existing keytab, use the ktadd command from kadmin, which requires the “inquire” administrative privilege. (If you use the -glob princ_exp option, it also requires the “list” administrative privilege.) The syntax is:

     ktadd [-k[eytab] keytab] [-q] [-e
     key:salt_list] [principal | -glob princ_exp]
     [...]

The ktadd command takes the following switches:

-k[eytab] keytab
use keytab as the keytab file. Otherwise, ktadd will use the default keytab file (/etc/krb5.keytab).
-e "enc:salt..."
Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See Supported Encryption Types and Salts for all possible values.
-q
run in quiet mode. This causes ktadd to display less verbose information.
principal | -glob principal expression
add principal, or all principals matching principal expression to the keytab. The rules for principal expression are the same as for the kadmin list_principals (see Retrieving a List of Principals) command.

Here is a sample session, using configuration files that enable only des-cbc-crc encryption. (The line beginning with => is a continuation of the previous line.)

     kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU
     kadmin: Entry for principal host/daffodil.mit.edu@ATHENA.MIT.EDU with
          kvno 2, encryption type DES-CBC-CRC added to keytab
          WRFILE:/etc/krb5.keytab.
     kadmin:
     kadmin: ktadd -k /usr/local/var/krb5kdc/kadmind.keytab
     => kadmin/admin kadmin/changepw
     kadmin: Entry for principal kadmin/admin@ATHENA.MIT.EDU with
          kvno 3, encryption type DES-CBC-CRC added to keytab
          WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
     kadmin: