Kerberos 5.15 Installation Guide - Create a kadmind Keytab (optional)

Node:Create a kadmind Keytab (optional), Next:Start the Kerberos Daemons, Previous:Add Administrators to the Kerberos Database, Up:Install the Master KDC

Create a kadmind Keytab (optional)

The kadmind keytab is the key that the legacy admininstration daemons kadmind4 and v5passwdd will use to decrypt administrators' or clients' Kerberos tickets to determine whether or not they should have access to the database. You need to create the kadmin keytab with entries for the principals kadmin/admin and kadmin/changepw. (These principals are placed in the Kerberos database automatically when you create it.) To create the kadmin keytab, run kadmin.local and use the ktadd command, as in the following example. (The line beginning with => is a continuation of the previous line.):

     shell% /usr/local/sbin/kadmin.local
     kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
     => kadmin/admin kadmin/changepw
      Entry for principal kadmin/admin with kvno 5, encryption
     	type Triple DES cbc mode with HMAC/sha1 added to keytab
     	WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
     Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode
     	with CRC-32 added to keytab
     	WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
     Entry for principal kadmin/changepw with kvno 5, encryption
     	type Triple DES cbc mode with HMAC/sha1 added to keytab
     	WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
     Entry for principal kadmin/changepw with kvno 5,
     	encryption type DES cbc mode with CRC-32 added to keytab
     	WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
     kadmin.local: quit
     shell%

As specified in the -k argument, ktadd will save the extracted keytab as
/usr/local/var/krb5kdc/kadm5.keytab. The filename you use must be the one specified in your kdc.conf file.