Fermilab Kerberos Tips
Creating a keytab file for a project principal
Before you begin, you should have requested and received a project
principal and an initial password from the computer security team.
Definitions
Let's call the unix account which will use this principal
"projacct" and the principal itself
"foo/bar/host.fnal.gov@FNAL.GOV".
Let "/dir-path/file" stand for the full pathname of the
keytab file you'll chooose in the next step.
Procedure
- Decide where the keytab will be stored. Consider the following
points:
- It must be on local storage, which is not shared
over the network.
- The keytab file must be readable only by the unix account
which should obtain tickets with it. (And, necessarily, by root.)
It may prove convenient to also have it writable by that user.
- Every directory in the tree above that file must have at
least "x" (execute) access for this account.
- The file should not be backed up, or the backup media should
be stored as securely as the machine's disk itself.
A good and common choice is /var/adm/krb5/foo.keytab.
- Create the directory, if necessary, and set its ownership and
permission. make sure the file does not exist.
- Working as user root if projacct has
no write access to /dir-path, otherwise as
user projacct, execute this command:
kadmin -r FNAL.GOV -p foo/bar/host.fnal.gov@FNAL.GOV \
-q "ktadd -k /dir-path/file foo/bar/host.fnal.gov@FNAL.GOV"
and provide the initial password you were given.
- If you are root, set the ownership of the keytab:
chown projacct /dir-path/file
- Check the permissions on the file and all directories above it,
then test it by su'ing to projacct (if
you haven't already) and:
kinit -l 5m -k -t /dir-path/file foo/bar/host.fnal.gov
klist -f
kdestroy
When you execute the kadmin command, the password is
no longer valid for that principal. If you were issued
the same initial password for multiple project principals, do
create all their keytabs promptly.