To create a keytab file: On the domain controller server, create a user account named control- in the Active Directory Users and Computers snap-in. If you want to use the AES256-SHA1 encryption algorithm, do the following in the Active Directory Users and Computers snap-in: Open the properties of the created account.

• Generate Keytab File Free
• Generate Keytab File Pdf

• To create a principal and generate a keytab file, you can use the kadmin command.
• Mar 19, 2021 The keytab file keeps the names of Kerberos principals and the corresponding encrypted keys. Now let’s take a look at how our Support Engineers create a keytab file. First, we create a service account in AD and set a known password for it.
• In order to generate a keytab on Windows, you need to be running some version of Kerberos which talks back to a Directory server. On Windows, by far the most prevalent example of this is Active Directory, which has Kerberos support built-in. You'll need to create the keytab on a Windows server joined to the Active Directory domain.

To create a principal and generate a keytab file, you can use the kadmin command.

Before You Begin

If any version of Kerberos is currently enabled on the storage system, you must first disable it by running nfs setup. In Kerberos is enabled, the following prompt appears:

Regardless of your response (y or n), the storage system terminates NFS setup; if you choose to disable Kerberos, the storage system first disables any current Kerberos implementation you have configured. For UNIX-based Kerberos, the nfs.kerberos.file_keytab.enable option is set to off.

Steps

Generate Keytab File Free

Generate Keytab File Pdf

1. On a UNIX or Linux system that supports UNIX-based Kerberos v5 services, enter the kadmin command or, if logged into the KDC, enter the kadmin.local command.
2. On the kadmin or kadmn.local command line, enter the following command: ank -randkey nfs/hostname.domainhostname is the host name of the NFS server principal and domain is the domain of the NFS server principal.

   A principal is created for the NFS server; for example, nfs/server.lab.my_company.com@LAB.MY_COMPANY.COM, where the realm is @LAB.MY_COMPANY.COM.

   If your KDC software creates a principal with a default encryption type that Data ONTAP does not support, such as the des3* or aes128* encryption type, you must invoke the ank command with the -e parameter to specify an encryption type that Data ONTAP does support, such as des-cbc-md5:normal. For example, the following command creates a principal with the des-cbc-md5 encryption type: kadmin: ank -e des-cbc-md5:normal -randkey nfs/server.lab.my_company.com

   For more information, see your KDC software documentation.

3. On the kadmn or kadmn.local command line, enter the following command: xst -k/tmp/filer.UNIX_krb5.conf nfs/hostname.domain where hostname is the host name of the server principal and domain is the domain of the server principal you created in Step 2. For example, enter: kadmin: xst -k/tmp/filer.UNIX_krb5.conf nfs/server.lab.my_company.com

   A keytab is created for the server principal nfs/server.lab.my_company.com@LAB.MY_COMPANY.COM. The KVNO 3 encryption type DES-CBC-CRC is added to the keytab WRFILE:/tmp/filer.UNIX_krb5.conf.

   If your KDC software creates a keytab with a default encryption type that Data ONTAP does not support, such as the des3* or aes128* encryption type, you must invoke the xst command with the -e parameter to specify an encryption type that Data ONTAP does support, such as des-cbc-md5:normal. For example, the following command creates a keytab with the des-cbc-md5 encryption type: xst -k /tmp/filer.keytab -e des-cbc-md5:normal nfs/filer.lab.mycompany.com

   For more information, see your KDC software documentation.

4. On the NFS server, enter the following command: cp /tmp/filer.UNIX_krb5.keytab /net/filer/vol/vol0/etc/krb5.UNIX_krb5.keytab

   The keytab is copied to the storage system.

   Attention: Once the keytab is copied to the storage system, be sure you do not export the /etc subdirectory of the volume. If you export the /etc subdirectory, clients can read the key information and masquerade as the storage system.
5. To copy the krb5.conf file to the storage system, do one of the following: On a UNIX client running MIT KDC software, enter the following command: cp /etc/krb5.conf /net/filer/vol/vol0/etc/krb5.conf On a Solaris client running SEAM, enter the following command: cp /etc/krb5/krb5.conf /net/filer/vol/vol0/etc/krb5.conf