Creating an MIT style keytab for an existing Windows AD member computer

Nicolas Williams Nicolas.Williams at
Wed Jul 23 15:33:54 EDT 2008

On Wed, Jul 23, 2008 at 02:01:43PM -0400, Michael B Allen wrote:
> Extracting the keys from AD is not possible [1].

Nor ist it possible to extract them from MIT krb5 KDCs.

> However, the ktpass utility from MS can set the password, generate the
> corresponding key separately and put it into a keytab file.

You can build keytabs directly on MIT krb5 systems using the MIT krb5
API, or even interactively with kpasswd and ktutil (an early version of
adjoin [see below] did just that).

Or you could probably just use or adapt Sun's adjoin/ksetpw tools to
your purposes:

> Note that you must have at least account operator privilege to set a
> password in AD.


> Mike
> [1] There is a freeware utility called ktexport that can extract the
> keys from a DC and dump them into a keytab but it is only (sometimes)
> useful for debugging purposes with WireShark. The resulting keytab is
> not valid for use with any kind of service.

Sure, if you have direct, privileged access to a KDC you could always
extract its keys.  Portions of the KDC could run directly in a hardware
keystore, making it really hard to get to the keys, but that's not the
case here.


More information about the Kerberos mailing list