To generate.KEYTAB files, you have to use Kerberos or any other software indicated below. Software for Linux, Mac, and Windows can be downloaded from official stores. KEYTAB file creator download is also available on the software official source. Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: samba-tool domain exportkeytab.keytab -principal= This should then produce a keytab called.keytab containing the users upn or the spn, depending on which is given with '-principal' and this can.
Creating and verifying a keytab file for the 'serverdbuser' Spotfire database account in the research.example.com domain: ktutil ktutil: addentry -password -p serverdbuser -k 0 -e rc4-hmac-nt Password for serverdbuser: ktutil: writekt spotfire-database.keytab ktutil: quit klist -k spotfire-database.keytab kinit -k -t spotfire-database.keytab [email protected]. Creating and verifying a keytab file for the 'serverdbuser' Spotfire database account in the research.example.com domain: ktutil ktutil: addentry -password -p serverdbuser -k 0 -e rc4-hmac-nt Password for serverdbuser: ktutil: writekt spotfire-database.keytab ktutil: quit klist -k spotfire-database.keytab kinit -k -t spotfire-database.keytab [email protected]. The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (Create the Database) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk.
Please enable JavaScript in your browser and refresh the page.
This method of creating a keytab file on Linux uses the ktutil command.
Kerberos is installed on the Linux host where Spotfire Server is installed.
The tools ktutil, klist, and kinit are available on the Linux host.
Procedure
Start the ktutil tool by invoking it from the command line without any arguments. Execute the commands below, replacing <database account name> with the user login name of the Spotfire database account, written in lowercase letters:
Note: It is not critical to use the name 'spotfire‐database.keytab' for the keytab file, but the following instructions assume that this name is used.
The tool prompts you for the password of the service account.
Enter the password that you used when creating the Spotfire database account.
Verify the created keytab by running the klist and kinit utilities:
Note: If you change the password of the Kerberos service account, you must re-create the keytab file.
Creating and verifying a keytab file for the 'serverdb_user' Spotfire database account in the research.example.com domain:
Copy the spotfire-database.keytab file to the following Spotfire Server directory: <installation dir>/jdk/jre/lib/security.
Note: Because this file contains sensitive information, it must be handled with care. The file must not under any circumstances be readable by unauthorized users.
Note: If you change the password of the Kerberos service account, you must re-create the keytab file.
Heimdal Kerberos is shipped as part of Mac OS X (as of the OS X 10.7 'Lion' release). Heimdal Kerberos is an alternate implementation of the Kerberos protocol and (mostly) interoperates with the more common MIT Kerberos (such as installed on NCSA Linux systems).
In order to configure Kerberos on the Macintosh, obtain the NCSA Kerberos configuration file krb5.conf from Kerberos Configuration Information. The current version can be found at The system expects to find this configuration file in one, and only one, of two places. Check for the existence of either of the following two files. (/etc is a private directory, requires root privileges):
/etc/krb5.conf
/Library/Preferences/edu.mit.Kerberos
The recommended practice is to rename the file to /etc/krb5.conf. If the second file (edu.mit.Kerberos) is present it needs to be deleted. Make sure the Kerberos configuration file only exists in one of these two places!
If you commonly work from behind a NAT (Network Address Translation) router, as is typical of many cable and DSL internet users, you should also add to the [libdefaults] section of the Kerberos configuration the following line:
noaddresses = TRUE
Once you have set up Kerberos, you have:
Kerberized telnet and ssh clients
A Kerberized ssh server (if you complete the steps outlined in below)
You will not have Kerberized ftp, rlogin, and rsh.
Kerberos Login and Screen Saver
To use Kerberos for local login and screen saver the following configurations are necessary.
For AFS access: Download the latest release of OpenAFS from OpenAFS.org site, selecting the version for your Mac OS X version.
During the install, the OpenAFS Client Cell panel prompts for the default AFS cell. Enter 'ncsa.uiuc.edu' to connect to the NCSA AFS cell and 'ncsa' as the Cell Alias.
Alternatively, go to /var/db/openafs/etc/ (requires root privileges) and edit the ThisCell file so that it contains only a single line containing the text 'ncsa.uiuc.edu'.
Restart your computer.
Authenticate to Kerberos
To authenticate, use either the command line kinit as you would on a Linix system, or use the OS X GUI application Ticket Viewer.
Command Line kinit
Open a terminal window and run the command kinit. See section 12.1 kinit. If you are using AFS, run the aklog command after the kinit in order to get the necessaary AFS token.
GUI
Open Keychain Access (also in the /Applications/Utilities folder)and select Ticket Viewer from under the Keychain Access menu.
Click Add Identity in the Ticket Viewer.
Check that your username is right and the realm is NCSA.EDU. Enter your Kerberos password and click OK.
You'll see your principal name appear and a Time Remaining for your tickets. You can click the triangle to reveal a list of the tickets.
Now you are ready to connect to a Linix system with ssh. You can quit the Kerberos GUI application without losing your tickets.
SSH Server Configuration (To be able to Connect to your Macintosh with GSSAPI Authentication)
In order to setup your Macintosh for incoming SSH connections that comply with NCSA Security policies, you will need to edit /etc/sshd_config and make the following settings as listed here (you might also need to uncomment lines by removing the leading '#'.
If your Mac is a DHCP client, make sure it gets a stable hostname when connected. Go to System Preferences, click Network, choose each network interface in turn that you intend to use (probably just 'Ethernet' and 'Airport'or 'Wi-Fi'). For each one, click Advanced, go to the TCP/IP tab, and fill in the 'DHCP Client ID' box with just your hostname (not the fully qualified name). For example, let's suppose you've registered your Macintosh with the hostname fondulac. Just put fondulac in the box, even though your full domain name is fondulac.ncsa.illinois.edu. Send a email to [email protected] to request a 'host principal' and provide the fully qualified domain name (i.e. fondulac.ncsa.illinois.edu). Once you get email back with an initial host principal password, you need to create a keytab file to hold the principal key but you will not be able to do this on your Macintosh because the Heimdal-based kadmin utility present on the Macintosh will not inter-operate with the kadmin server on the Master KDC. Instead you will have to log into a Linux system and create the keytab there and then securely transport the file back to your Macintosh where it will be stored as the file /etc/krb5.keytab (you can use the SSH file copy utility scp to accomplish this). On the Linux system, run this command:
Provide the password when prompted -- it can only be used one time. If successful the terminal will display a message to the effect of 'Entry for principal host/fondulac.ncsa.illinois.edu .. added to keytab fondulac.keytab.' Use a secure method to transfer fondulac.keytab to your Macintosh to be saved as /etc/krb5.keytab.
Open System Preferences, pick 'Sharing', click 'Remote Login' to enable incoming SSH. Make sure your correct hostname (not the fully qualified name) is in the Computer Name field. Add a .k5login file to the home directory of any account to which you want to be able to log in remotely, and include the appropriate principals which are allowed to log into the account. (full principal name with no spaces along with the Kerberos realm name in upper case). This file must be writable only by the account itself and/or root.
Run kinit on your workstation and acquire a Kerberos ticket. This will then permit you to connect to the OSX server with ssh.
SSH Server Configuration (To be able to Connect to your Macintosh with Kerberos password Authentication)
To permit the use of ssh with Kerberos passwords the following modification of the pam configuration is required.
If you get the error 'KDC reply did not match expectations' or 'Clock skew too great while getting initial credentials', your computer's date and time are too different than the date and time on the Kerberos server. Should you see this error, make sure your date and time are correct.
On a Macintosh, the Date and Time in the System Preferences or Control Panel has an option for using a network time server. To set the date and time:
First quit all Kerberos-using applications.
Follow the instructions to Set the date and time from Apple.