DevOps | Cloud | Analytics | Open Source | Programming

How To Create A Kerberos Keytab File ?

We will learn How To Create A Kerberos Keytab File in this post. But before that that quickly understand what is a keytab file

What is a Keytab file

  • Keytab file is basically as pair of Kerberos Principal & Encrypted Key
  • The encrypted keys are derived from the Kerberos password
  • We use keytab file as an authentication measure while trying to connect to remote systems which are layered by Kerberos security.


  • Kerberos is already installed and configured
  • Kerberos server is up and running
  • You have set-up a Realm
If you are not aware of how to configure Kerberos to do the above steps, please refer my earlier post which explains the Kerberos installation & set-up in detail -

How To Install & Configure Kerberos Server & Client in Linux ?

Assuming you are able to set up the Kerberos , lets dive in the steps to create a Kerberos Keytab file.  

Step 1 - Create a NEW Principal


  • Connect to the Kerberos Server .
  • Once connected , use below in command line

\[root@kerberos-server\]$ kadmin.local

  • You will land on the kadmin.local prompt. List existing principles

kadmin.local: listprincs

  • Create a New Principal in a the Realm. (We are using our Realm - TESTREALM.LOCAL). It will prompt to use password - so use your own password and note it down. Once done , you will get a prompt in the screen that Principal is created.

kadmin.local: add\_principal **[email protected]**

  • List and verify the Principal is created

kadmin.local: listprincs

Step 2 - Create the Keytab File for the New Principal

We have created a Principal in the above step. As a Continuation , in this step , we will create a Keytab file for the same Principal. We will use the same kadmin.local prompt for the same.

kadmin.local: xst -norandkey -k **testuser.keytab** **[email protected]** 

If you want to create the keytab file at any specific path (say /tmp/dir/) , use the path name. See example below

kadmin.local: xst -norandkey -k **/tmp/dir/testuser.keytab** **[email protected]** 

  • Quit the kadmin.local prompt

kadmin.local: quit

  • Verify the keytab file is created or not

\[root@kerberos-server\]$ ls

Step 3 - Check the Encryption (Optional)

  • Check the encryptions used in the Keytab file

\[root@kerberos-server\]$ klist -kte testuser.keytab

Step 4 - Use the Keytab File

  • Flush all the existing cache

\[root@kerberos-server\]$ kdestroy

  • Check if all caches cleared . Results will be empty.

\[root@kerberos-server\]$ klist

  • Do kinit to reinitialize for the Principal [email protected]. [ In actual Big Data environment , the Principal authentication needs to be renewed at regular intervals ( 8\12\24 Hrs or any interval that is set up) for keeping the Principal active. That is why kinit is performed at regular intervals so the Principla is active and can be used to connect to Remote servers (through Kerberos). ]

\[root@kerberos-server\]$ kinit -kt testuser.keytab [email protected]

  • If you use below command , after above step , it will show the cache for [email protected]. It also shows the timeline till when the Principal can be renewed.

\[root@kerberos-server\]$ klist

Hope you find this post helpful.  

Additional Post you can read -