[
https://issues.apache.org/jira/browse/DIRKRB-94?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13654961#comment-13654961
]
James C. Wu commented on DIRKRB-94:
-----------------------------------
Active Directory use ktpass for generating keytab file. The command works as
follows:
ktpass -out {keytab-file-to-produce} -princ
{Service-Principal-Name}@{the-kerberos-realm} -mapUser {AD-user} -mapOp set
-pass {AD-user-password} -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
On linux, there is java tool ktab that works similarly to ktpass. For example,
[root@wssecjibe bin]# ./ktab -a
HTTP/[email protected] ot56prod -k /etc/krb5.keytab
Done!
Service key for principal HTTP/[email protected]
saved
ot56prod is the password for the principle.
But they all require the password of the principle. I would like to have a tool
that I can dump the keytab file if I have admin credential to the KDC.
> Keytab export for Kerberos principles
> -------------------------------------
>
> Key: DIRKRB-94
> URL: https://issues.apache.org/jira/browse/DIRKRB-94
> Project: Directory Kerberos
> Issue Type: New Feature
> Reporter: James C. Wu
> Assignee: Emmanuel Lecharny
>
> As an administrator, I should be able to export the keytab of any Kerberos
> principle without having to know their password.
> The keytab can either be generated in an interactive way like Kadmin or can
> be generated through a script provided the right credential.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
