LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Administering LDAP-UX Client Services
Creating an /etc/krb5.keytab File
Chapter 4116
Creating an /etc/krb5.keytab File
In the ADS multiple domain environment, your HP-UX client machine
will communicate with multiple Windows 2000 or 2003 domain
controllers. To set up Kerberos authentication, your HP-UX host needs to
have a service key known by every domain controller, which also acts as
KDC. The service key is created on Windows 2000 or 2003 Server using
ktpass (described in step 5 of “Configuring Active Directory for HP-UX
Integration”). After you create the service key file on each domain
controller, you need to securely transfer it to your HP-UX machine. All
service key files must be merged and stored in /etc/krb5.keytab.
For example, if you integrate LDAP-UX with ADS multiple domains so
that users from DomainA, DomainB, and DomainC can log into your
HP-UX client machine, you will need to create the service key on each
domain controller (say domainA.keytab on DomainA, domainB.keytab
on DomainB and domainC.keytab on DomainC), then transfer those
files into your HP-UX machine. Finally, merge all three service key files
to create /etc/krb5.keytab. Use ktutil to merge service key files on
your HP-UX machine:
# /usr/sbin/ktutil
ktutil: rkt domainA.keytab
ktutil: rkt domainB.keytab
ktutil: rkt domainC.keytab
ktutil: wkt krb5.keytab
ktutil: quit
Use klist -k to show the different entries in the keytab file
/etc/krb5.keytab should be readable only by the supervisor.