Archive for March 2026
Extracting a user keytab for krb5 authentication without passwords.
Posted on Thu, Mar 05, 2026 at 16:15 by Hubertus A. Haniel
WARNING - The keytab must be kept safe as it can be used as a key on other systems!
So the problem at hand is for users that do not authenticate against AD and use an SSH key for like an SFTP job or for applications that run in the background and the kerberos ticket expires they will no longer be able to access the NFS filesystem but I have the need to encrypt the filesystem. How can we keep them authenticated.
For this we use ktutil to create our own keytab (ktutil is like a shell):
Run ktutil to enter the shell
In the shell we run "addent -password -p <user>@<REALM> -k 2 -e aes256-cts-hmac-sha1-96 -f" which will prompt you for the user password.
The "-f" flag may not be required but it will make sure that the "salt" is the same as kinit will use.
We can use "list -e" to view the result and then write it to a file with "wkt <filename.keytab>"
With "q" we can gracefully exit ktutil.
You should now be able to do a "kinit -kt <path to above created keytab> <user>@<REALM>"
If that works the keytab can be placed as <user>.keytab in /var/lib/gssproxy/clients/ and gssproxy will attempt to use it when that UID accesses the filesystem. - ONLY root should be able to read that keytab!
On RHEL8 /etc/gssproxy/99-nfs-client.conf actually looks for the keytab as <numerical UID>.keytab in /var/lib/gssproxy/clients/.
Edited on: Fri, Mar 06, 2026 14:06Posted in HowTo (RSS), System - Linux (RSS)
