Playground II
This lesson demonstrates creating keytabs and using the kadmin utility.
In this lesson, we’ll see how we can create keytabs and use kadmin to make KDC database changes. The detailed commands to execute and the terminal to execute them appear below, followed by a discussion of the exercise.
Press + to interact
# Get latest packagesapt-get update# installing Kerberos serverapt install krb5-kdc krb5-admin-server krb5-config -y# Enter the following string (or any of your choice) when# prompted for 'Default Kerberos version 5 realm'DATAJEK# Enter localhost when prompted for 'Kerberos servers for your realm'localhost# Enter localhost when prompted for 'Administrative server for your Kerberos realm'localhost# Initialize the realm we created and then enter a suitable password when promptedkrb5_newrealm# Now install the client packages for interacting with the KDCapt install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config# Set the following environment variable so that we see detailed outputsexport KRB5_TRACE=/dev/stdout# Start the kadmin consolekadmin.local# Add the user principal lailakadmin: add_principal laila/educative# Quit the kadmin consolekadmin: quit#################### CREATING KEYTAB ##################### Start ktutil consolektutil# Add an entryktutil: add_entry -password -p laila/educative -k 1 -e aes256-cts# Export the keytab to diskktutil: wkt /tmp/laila.keytab# Exit ktutil consolektutil: quit# Verify the keytab has been createdls -ltr /laila.keytab# Exmaine the keytabklist -ekt /tmp/laila.keytab# Use this created keytab file to authenticate to Kerberoskinit -V -k -t laila.keytab laila/educative@DATAJEK#################### USING KADMIN ##################### Modify ACLvim /etc/krb5kdc/kadm5.acl# At the bottom of the file add the following line and savelaila/educative@DATAJEK *# Pess ESC key and quit vim by entering the following sequence and hitting enterwq!# Run the kadmind server/etc/init.d/krb5-admin-server restart# Connect to the kadmind server using the principal we created earlierkadmin -p laila/educative# List principals to verify we are connected to kadmind and able to execute commandskadmin: list_principals# Exit the kadmin consolekadmin: quit
ktutil - Exporting creds to Keytab file
Using ktutil
We can export the Kerberos credentials to a keytab file, which is short for the key table. A keytab is a file containing pairs of Kerberos principals and encrypted keys that are derived from the Kerberos password. You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. We’ll use the ktutil utility to export the keytab for the user Laila. The sequence of commands to do so is shown below:
ktutil
ktutil: add_entry -password -p
...