Creating an MIT style keytab for an existing Windows AD member computer
Nicolas.Williams at sun.com
Wed Jul 23 15:33:54 EDT 2008
On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible .
Nor ist it possible to extract them from MIT krb5 KDCs.
> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a keytab file.
You can build keytabs directly on MIT krb5 systems using the MIT krb5
API, or even interactively with kpasswd and ktutil (an early version of
adjoin [see below] did just that).
Or you could probably just use or adapt Sun's adjoin/ksetpw tools to
> Note that you must have at least account operator privilege to set a
> password in AD.
>  There is a freeware utility called ktexport that can extract the
> keys from a DC and dump them into a keytab but it is only (sometimes)
> useful for debugging purposes with WireShark. The resulting keytab is
> not valid for use with any kind of service.
Sure, if you have direct, privileged access to a KDC you could always
extract its keys. Portions of the KDC could run directly in a hardware
keystore, making it really hard to get to the keys, but that's not the
More information about the Kerberos