Marek Mahut » kerberos http://marek.mahut.sk/blog Tue, 19 Oct 2010 07:56:00 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Multiple host names in a single kerberos key tab http://marek.mahut.sk/blog/2008/11/19/multiple-host-names-in-a-single-kerberos-key-tab/ http://marek.mahut.sk/blog/2008/11/19/multiple-host-names-in-a-single-kerberos-key-tab/#comments Wed, 19 Nov 2008 12:33:55 +0000 marek http://marek.mahut.sk/blog/?p=253 If you are using clustered service with kerberos, you may want to merge hostnames keytab files to one for simple distribution.

  • Create host and service principals.
kadmin:  addprinc -randkey host/node1.corp.intranet.lan
kadmin:  addprinc -randkey host/node2.corp.intranet.lan
kadmin:  addprinc -randkey host/node3.corp.intranet.lan
kadmin:  addprinc -randkey host/node4.corp.intranet.lan
kadmin:  addprinc -randkey host/node5.corp.intranet.lan
kadmin:  addprinc -randkey host/node6.corp.intranet.lan
kadmin:  addprinc -randkey host/node7.corp.intranet.lan
kadmin:  addprinc -randkey host/node8.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node1.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node2.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node3.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node4.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node5.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node6.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node7.corp.intranet.lan
kadmin:  addprinc -randkey HTTP/node8.corp.intranet.lan

  • Save them to only one file (cluster.keytab).
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node1.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node2.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node3.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node4.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node5.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node6.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node7.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab host/node8.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node1.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node2.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node3.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node4.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node5.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node6.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node7.corp.intranet.lan
kadmin:  ktadd -k /etc/httpd/cluster.keytab HTTP/node8.corp.intranet.lan

  • As alternative, you can use command ktutil if you already have a bunch of keytab files.
ktutil:  rkt /etc/krb5/node1.corp.intranet.lan.keytab
ktutil:  rkt /etc/krb5/node2.corp.intranet.lan.keytab
ktutil:  rkt /etc/krb5/node3.corp.intranet.lan.keytab
ktutil:  rkt /etc/krb5/node4.corp.intranet.lan.keytab
ktutil:  rkt /etc/krb5/node5.corp.intranet.lan.keytab
ktutil:  rkt /etc/krb5/node6.corp.intranet.lan.keytab
ktutil:  rkt /etc/krb5/node7.corp.intranet.lan.keytab
ktutil:  wkt /etc/cluster.keytab

Voila.

]]> http://marek.mahut.sk/blog/2008/11/19/multiple-host-names-in-a-single-kerberos-key-tab/feed/ 1