HOW TO: Use Ktpass.exe in Windows 2000 (324144)


The information in this article applies to:

  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Small Business Server 2000
This article was previously published under Q324144

IN THIS TASK

SUMMARY

If you want to configure your UNIX hosts to use a Windows 2000-based server as a Kerberos Key Distribution Center (KDC), you must generate a Kerberos keytab file. You can use the Ktpass utility, which is included with the Microsoft Windows 2000 Resource Kit, to create a keytab file for your UNIX host.

back to the top

The Ktpass.exe Syntax

The Ktpass utility creates Kerberos keytab files that are used by UNIX Kerberos-based systems to define KDC hosts and user/service mappings.

The syntax for the command is:

ktpass /out filename /princ username [/mapuser] [/in filename] [/crpyto type] [/ptype type] [/keyno keynum] [/?]

Switch usage:
  • /out filename - Specifies the name of the keytable file to be generated.
  • /princ principal_name - The principal name.
  • /pass password - Password to use for this principal name.
  • /mapuser username - Map the name of a Kerberos principal to a local account.
  • /mapOp [add|set] - Defines how the mapping attribute is set. The default is to add.
  • /DesOnly - Set the account for DES-only encryption.
  • /in filename - The name of an existing keytab file to be used as the basis for the new keytab file.
  • /crypto [DES-CBC-CRC|DES-CBC-MD5] - Specify the encryption type to use (DES-CBC-CRC is the default).
  • /ptype ptype - Sets the principal type:

    KRB5_NT_PRINCIPAL: The name of the principal or for users
    KRB5_NT_SRV_INST: User service instance
    KRB5_NT_SRV_HST: Host service instance

  • /kvno number - The key version number (the default is 1).
  • /? - Shows the usage screen.
After you generate the keytab file, either replace the existing file or merge the new file with the existing /etc/krb5.keytab file.

back to the top

Generate a UNIX Host Keytab File

To create a UNIX keytab file to permit the UNIX host to authenticate with a Windows 2000-based server, you must create a user in Active Directory in Windows 2000. This user is used by the Kerberos service on the client. Then, generate the keytab file and copy it to the UNIX host.

To generate the host keytab file:
  1. Start the Active Directory Management tool.
  2. Right-click the Users folder, point to New, and then click User.
  3. Type the name of the UNIX host for which you want to add Kerberos support.
  4. Save the user.
  5. Start a command prompt, and then type the following command

    ktpass -princ host/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out UNIXmachine.keytab

    where:

    • hostname is the host's DNS name.
    • NT-DNS-REALM-NAME is the Active Directory domain name with which you want to authenticate.
    • account is the account that you created in Active Directory.
    • password is the password for the account.
  6. Copy the resulting keytab file to the UNIX host. Use the Ktutil tool to merge this file with the existing configuration file.
back to the top
Modification Type:MajorLast Reviewed:12/3/2003
Keywords:kbhowto kbHOWTOmaster KB324144 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.