Return
-
Title
How to create a keytab against an existing service account in Active Directory. -
Description
For various reasons a keytab may be required for use against an existing service account in Active Directory. To do this manually can be difficult. The script included in this article is designed to simplify this task. It does require knowledge of the existing service account password however. -
Resolution
The create-keytab script, when executed will ask a number of questions to guide the creation of the keytab. At the end the keytab will be validated to ensure it was created successfully.There are a number of features but of note is the ability to create a keytab against an existing service account and reset the password to something secret. It is also possible to keep the existing password.The script is attached to this article as well as being available installed with version 4.1.0-22611 (it is expected to work with all 4.1 versions) and above in the following location: /opt/quest/libexec/vas/scripts/vas_sa_manager.shBelow is an example of a successful execution of the script. It must be executed as root.# /opt/quest/libexec/vas/scripts/vas_sa_manager.shSpecify the keytab path: : /etc/opt/quest/vas/sas9.keytablooking for keytab /etc/opt/quest/vas/sas9.keytab .......................................................... not foundUse an existing Active Directory user or service account? [yes]: yesThis step creates a service keytab for a pre-existingservice account in Active Directory.You will need to know the account password for theservice account or have permissions to reset the accountspassword.Contact your systems administration staff if you do not.Please specify the samAccountName of the existing service:samAccountName: test-sas9Do you want to change/set the password for test-sas9 [no]: yesDo you want to use test-sas9 to change their password [yes]: noCredentials required to set test-sas9 passwordPlease login with a sufficiently privileged domain account.Username [Administrator]: administratorPassword for administrator@EXAMPLE.COM:Validating that AD object test-sas9 exists in AD ......................................................... AD object foundUsing AD object ............................................................................................ CN=test-sas9,CN=Computers,DC=EXAMPLE,DC=COMDo you want to change the password for test-sas9 to a random secure password? [no]: yesSuccessfully changed password for test-sas9output new password to screen? [no]: noCreating keytab /etc/opt/quest/vas/sas9.keytab for Active Directory object test-sas9Adding entries to /etc/opt/quest/vas/sas9.keytab for:sas9/test.example.com@EXAMPLE.COM EncryptionType: aes256-cts-hmac-sha1-96sas9/test.example.com@EXAMPLE.COM EncryptionType: aes128-cts-hmac-sha1-96sas9/test.example.com@EXAMPLE.COM EncryptionType: arcfour-hmac-md5checking new service keytab file exists .................................................................... foundCan root read /etc/opt/quest/vas/sas9.keytab ............................................................... yeschecking test-sas9 can request a service ticket for test-sas9@EXAMPLE.COM .............................. yeschecking test-sas9 can request a service ticket for sas9/test.example.com@EXAMPLE.COM .................. yes -
Attachments
-
Additional Information
While windows tools like 'ktpass' can be used for keytab management, using QAS scripts and tools allows us to ensure they will work as expected including our ability to support and correct any errors that occur. It is strongly recommended to utilize QAS tools when creating, modifying or managing keytabs. Anytime a keytab and service account requires validation, modification or creation this script can be used. This would include the Mod Auth Vas solution for Apache, SSO for SAP and SAS scenarios.