directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James C. Wu (JIRA)" <>
Subject [jira] [Commented] (DIRKRB-94) Keytab export for Kerberos principles
Date Fri, 10 May 2013 22:47:16 GMT


James C. Wu commented on DIRKRB-94:

Active Directory use ktpass for generating keytab file. The command works as follows: 

ktpass -out {keytab-file-to-produce} -princ {Service-Principal-Name}@{the-kerberos-realm}
-mapUser {AD-user} -mapOp set -pass {AD-user-password} -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

On linux, there is java tool ktab that works similarly to ktpass. For example, 
[root@wssecjibe bin]# ./ktab -a	
HTTP/ ot56prod -k /etc/krb5.keytab
Service key for principal HTTP/ saved

ot56prod is the password for the principle. 

But they all require the password of the principle. I would like to have a tool that I can
dump the keytab file if I have admin credential to the KDC.

> Keytab export for Kerberos principles
> -------------------------------------
>                 Key: DIRKRB-94
>                 URL:
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: James C. Wu
>            Assignee: Emmanuel Lecharny
> As an administrator, I should be able to export the keytab of any Kerberos principle
without having to know their password. 
> The keytab can either be generated in an interactive way like Kadmin or can be generated
through a script provided the right credential.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message