How to create a keytab file for a Kerberos user logging into Active Directory. What's a keytab file? It's basically a file that contains a table of user accounts, with an encrypted hash of the user's password. Why have a keytab file? Well, when you want a server process to automatically logon to Active Directory on startup, you have two options: type the password (in clear text) into a config file somewhere, or store an encrypted hash of the password in a keytab file. Which is safer?

• View Keytab File

Use a secure method to transfer fondulac.keytab to your Macintosh to be saved as /etc/krb5.keytab. Open System Preferences, pick ' Sharing ', click ' Remote Login ' to enable incoming SSH. Make sure your correct hostname ( not the fully qualified name) is in the Computer Name field.

Well, you can decide. In any case, you'd better do a good job of protecting the file (be it a config file or a keytab). Anyway, the accepted way to store a hashed password in Kerberos is to use a keytab file. Now the file can be created using a number of utilities. On a Windows machine, you can use ktpass.exe. On Ubuntu Linux, you can use ktutil. Before I demonstrate how to create the keytab, a word about encryption.

There are a number of encryption types used for hashing a password. These include DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC and a few others.

Active Directory uses RC4-HMAC by default. Back in Windows 2000, you could also use the DES types without any trouble, but since Windows 2003, only RC4-HMAC is supported, unless you make a registry change (to all of your domain controllers). If you need to use DES for some reason, then refer to the Technet article at the bottom of the page. Before attempting to create a keytab file, you'll need to know the user's kerberos principal name, in the form of, and the user's password. Creating a KeyTab on Windows (tested on Windows Server 2008 R2) Open a command prompt and type the following command. Age of empires 2 for mac buy. Microsoft's manual of Ktpass command states that /princ attribute 'specifies the principal name in the form host/'.

View Keytab File

You are stating that the parameter value should be of the form What is correct? MIT Kerberos instruction states that 'the keytab file is computer independent, so you can perform the process once, and then copy the file to multiple computers.' , hence, hostname is not required when creating a keytab file.

Does this mean that your proposal is more right? Power mac pac. My issue is that I want to use one keytab in multiple computers and do not want to attach keytab only to one computer.

Chapter 23: Kerberos on a Macintosh System Chapter 23: Kerberos on a Macintosh System In this chapter we describe how to configure Kerberos for Mac OS X 10.x in order to access Kerberized machines and encrypt your data transmissions. Kerberos on Mac OS X 10.7 and later Client Configuration Heimdal Kerberos is shipped as part of Mac OS X (as of the OS X 10.7 'Lion' release). Heimdal Kerberos is an alternate implementation of the Kerberos protocol and (mostly) interoperates with the more common MIT Kerberos (such as installed on Fermilab Linux systems). In order to configure Kerberos on the Macintosh, obtain the Fermilab Kerberos configuration file krb5.conf from the Fermilab Security web site. The current version can be found at.

The system expects to find this configuration file in one, and only one, of two places. Check for the existence of either of the following two files. ( /etc is a private directory, requires root privileges).

The recommended practice is to rename the file to /etc/krb5.conf. If the second file ( edu.mit.Kerberos) is present it needs to be deleted. Make sure the Kerberos configuration file only exists in one of these two places!

If you commonly work from behind a NAT (Network Address Translation) router, as is typical of many cable and DSL internet users, you should also add to the [libdefaults] section of the Kerberos configuration the following line: noaddresses = TRUE Once you have set up Kerberos, you have: • Kerberized telnet and ssh clients • A Kerberized ssh server (if you complete the steps outlined in Section 23.1.3 below) • Kerberized access to FERMI.WIN.FNAL.GOV Windows servers You will not have Kerberized ftp, rlogin, and rsh. AFS Client • For AFS access: Download the latest release of OpenAFS from, selecting the version for your Mac OS X version. • During the install, the OpenAFS Client Cell panel prompts for the default AFS cell. Enter 'fnal.gov' to connect to the Fermilab AFS cell. • Alternatively, go to /var/db/openafs/etc/ (requires root privileges) and edit the ThisCell file so that it contains only a single line containing the text 'fnal.gov'.