Passwords for Server Accounts
During login, all principals (human, server, and machine) must pass their password to the DCE Authentication Service, which uses these passwords to generate authentication keys. The most common method for human users is to simply enter their password. A different method must be provided for server principals. The recommended method, which is based on APIs that are supplied with DCE, is to store server keys in a locally protected key table. The default implementation of the DCE-supplied API stores the key table in a keytab file on the server's local machine and protects the file so that only a principal's local identity can read or write the file.
You can access the keytab files remotely. On the local machine, store the keytab files in a partition of the machine's disk that is not exported by any file system.
Except for servers running as root or under the identity of the local machine, a separate keytab file needs to be used for each server. During login, the server can access this file to obtain its key, pass its key to the authentication service, log in, and be authenticated.
Use the dcecp keytab add command to add keys for servers to the keytab file and the dcecp keytab remove command to delete server keys.