Kerberos auth against AD, keytabs, and service principal names

Michael B Allen ioplex at
Mon Jul 20 15:23:38 EDT 2009

On Mon, Jul 20, 2009 at 2:23 PM, <kerberos at> wrote:
> I've been able to use ktpass.exe on the Windows (2003R2) side to
> create working keytabs for my NFSv4 environment.  I'd like to have
> both host/ and nfs/ service principal names for each host.fqdn in my
> (DNS) domain.  To this end I ran 'setspn -A ...' to create a SPN for
> host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a
> keytab for each of host/host.fqdn and nfs/host.fqdn.

Ktpass sets the password on an account and not an SPN. SPNs are linked
to an account. Meaning, each time you run ktpass.exe it invalidates
whatever keytab you generated with a previous invocation of ktpass.exe
so that's why it doesn't work.

> Then I copied the keytabs to my Linux system and tested kinit for
> host/host.fqdn and nfs/host.fqdn.  kinit for nfs/host.fqdn worked but
> kinit for host/host.fqdn *failed*.   What?!  Looking at my entries in
> AD, it appears that ktpass.exe sets both userprincipal name and
> serviceprincipal name to *the same thing* and merely adding SPNs to
> the host.fqdn entry in AD doesn't fix the problem with kinit -- if
> princ/host.fqdn doesn't exist in AD as a UPN.  That is to say, only
> UPNs are consulted when I kinit some princ/host.fqdn?

Ktpass is a very simple program and cannot be used for what you are doing.

You need to generate a single keytab with multiple entries - one for
each SPN. You can do this by setting the password on the service
account to a known value and then using ktutil to create a keytab with
multiple entries with principals for each SPN but with the same key.

Note that if you have PHP running somewhere there is a product called
Plexcel (one installation free for up to 25 users) that can generate
keytabs with an entry for each SPN in AD. The exact function is
described here:

but you can also commandeer the included setup.php to do this without
writing any code. After you set the password in setup.php there will
be a keytab in the Plexcel tmp directory with an entry for each SPN in
AD for the account. And you can create the service account and set the
password entirely from Plexcel.


Michael B Allen
Java Active Directory Integration

More information about the Kerberos mailing list