I would like to know if it’s possible to create a keytab file direct from a client machine without using the ktpass utility in the Windows Server side.
The main reason I would want this, is to automatically enable the integration of Kerberos authentication from Windows Active Directory in Linux machines using some shell scripts.
Thanks
If you’re running a Linux system, or any SAMBA compatible system, you can use the net application to join the domain and remotely generate the keytab for you, and since you’re working in a “Kerberized” environment I would use Kerberos to make all the authentication.
First of all ask a Kerberos Ticket from the Windows KDC with any privileged account:
kinit Administrator
You can check if the ticket was successfully generated with klist and after the ticket creation, just join the domain using the net application:
net ads join createupn=host/your_hostname.example.com@EXAMPLE.COM -k
When the procedure is complete, just ask the KDC to create a keytab:
net ads keytab create -k
You can finally check the keytab creation with klist -ke command if you’re using MIT Kerberos version.
