Microsoft KB Archive/324144

= HOW TO: Use Ktpass.exe in Windows 2000 =

Article ID: 324144

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Small Business Server 2000 Standard Edition

-



This article was previously published under Q324144



IN THIS TASK
SUMMARY
 * The Ktpass.exe Syntax
 * Generate a UNIX Host Keytab File



SUMMARY
If you want to configure your UNIX hosts to use a Windows 2000-based server as a Kerberos Key Distribution Center (KDC), you must generate a Kerberos keytab file. You can use the Ktpass utility, which is included with the Microsoft Windows 2000 Resource Kit, to create a keytab file for your UNIX host.

back to the top

The Ktpass.exe Syntax
The Ktpass utility creates Kerberos keytab files that are used by UNIX Kerberos-based systems to define KDC hosts and user/service mappings.

The syntax for the command is:

ktpass /out  /princ   [/mapuser] [/in  ] [/crpyto type] [/ptype type] [/keyno  ] [/?]

Switch usage:  /out  - Specifies the name of the keytable file to be generated. /princ  - The principal name. /pass  - Password to use for this principal name. /mapuser  - Map the name of a Kerberos principal to a local account. /mapOp [add|set] - Defines how the mapping attribute is set. The default is to add. /DesOnly - Set the account for DES-only encryption. /in  - The name of an existing keytab file to be used as the basis for the new keytab file.</li> /crypto [DES-CBC-CRC|DES-CBC-MD5] - Specify the encryption type to use (DES-CBC-CRC is the default).</li> /ptype  - Sets the principal type:

KRB5_NT_PRINCIPAL: The name of the principal or for users

KRB5_NT_SRV_INST: User service instance

KRB5_NT_SRV_HST: Host service instance

</li> /kvno  - The key version number (the default is 1).</li> /? - Shows the usage screen.</li></ul>

After you generate the keytab file, either replace the existing file or merge the new file with the existing /etc/krb5.keytab file.

back to the top

Generate a UNIX Host Keytab File
To create a UNIX keytab file to permit the UNIX host to authenticate with a Windows 2000-based server, you must create a user in Active Directory in Windows 2000. This user is used by the Kerberos service on the client. Then, generate the keytab file and copy it to the UNIX host.

To generate the host keytab file: <ol> Start the Active Directory Management tool.</li> Right-click the Users folder, point to New, and then click User.</li> Type the name of the UNIX host for which you want to add Kerberos support.</li> Save the user.</li> Start a command prompt, and then type the following command

ktpass -princ host/ @ -mapuser   -pass   -out UNIXmachine.keytab

where:

<ul>  is the host's DNS name.</li>  is the Active Directory domain name with which you want to authenticate.</li>  is the account that you created in Active Directory.</li>  is the password for the account.</li></ul> </li> Copy the resulting keytab file to the UNIX host. Use the Ktutil tool to merge this file with the existing configuration file.</li></ol>

back to the top

Keywords: kbhowto kbhowtomaster KB324144

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.