msktutil - fetches and manages kerberos keytabs in an Active
Directory environment
msktutil [mode] [parameter 1] [parameter 2] ...
msktutil is a Unix/Linux keytab utility for Microsoft Active
Directory environments. This program is capable of creating accounts in
Active Directory, adding service principals to those accounts, and creating
local keytab files so that kerberizied services can utilize Active Directory
as a Kerberos infrastructure. msktutil will create and manage machine
accounts by default. The --use-service-account option lets msktutil operate
on service accounts. msktutil requires that the Kerberos client libraries
are properly installed and configured to use Active Directory as a
realm.
Whenever a principal is added or a keytab is updated, the secret
password for the corresponding account is changed. By default, the password
is not stored, so it needs to be reset each time msktutil is executed. All
entries in the keytab will be automatically updated whenever the password is
reset. The previous entries will be left in the keytab, so sessions using
the older key versions will not break. This behavior is similar to the way
Windows hosts handle machine password changes.
There are two common methods of using this program. The first is
to "kinit" with Administrator-like credentials which have
permission to create computer objects in your Active Directory server. If
you invoke the program with such credentials, you can create a new computer
account or service account from scratch.
The second is to pre-create the accounts with such credentials,
and then invoke msktutil on a machine without any special permissions. When
the computer account or service account exists already, msktutil will
attempt to authenticate as that account using either the existing keytab, or
if that fails, a default password. When that default password is not
specified with the option --old-account-password, msktutil will use the
default machine password. It will then change the password and update the
keytab appropriately. This is usually the more convenient option when
joining many computers to the domain.
To pre-create a computer account, you may use the Active Directory
Users and Computers GUI, select "new computer" from the right
click menu, and type the short DNS name, then right click on the newly
created object and select "Reset account" to set the password to
the default value. Another alternative is to run msktutil in the pre-create
mode. Both methods accomplish the same thing.
To pre-create a service account, you may use the Active Directory
Users and Computers GUI, select "new user" from the right click
menu, fill in all required data, set the password to a specific value and
use setspn.exe to set the desired servicePrincipalName(s). You may also
select "must change password at next logon".
- create
- Creates a keytab for the current host or a given service account.
Equivalent to update --service host.
- update
- Forces a password change and updates all related service principal entries
from the servicePrincipalName and userPrincipalName attributes. Updates
dNSHostName for machine accounts and always updates
msDS-supportedEncryptionTypes attributes with current values, and applies
other changes as specified.
- auto-update
- Checks if the password is at least 30 days old (from pwdLastSet
attribute), and that the account does not have password expiry disabled.
If those conditions are met, acts just like msktutil update. Will also
update if the keytab failed to authenticate but the default password did
work (e.g. after resetting the account in AD). Otherwise, exits without
doing anything (even if attribute modifying options are given). This
option is intended for use from a daily crontab to ensure that the
password is rotated regularly.
- pre-create
- Pre-create (or update) an account for the given host with default
password. Does not use or update local keytab. Requires -h or
--computer-name argument. Implies --user-creds-only. Generally requires
administrator credentials.
- flush
- Flushes out principals for the current accountname from the keytab, and
makes corresponding changes to the machine or service account.
- cleanup
- Deletes entries from the keytab that are no longer needed. delete
Deletes the host or service account from Active Directory.
- -v, --version
- Displays version information
- --help
- Displays a help message
- --verbose
- Enables verbose status messages. May be specified more then once to get
LDAP debugging.
- -b, --base <base
ou>
- Specifies an LDAP base OU when creating a new account. Unless the given
string ends with the domain's base DN, it is assume to be a relative path:
For example, specifying '-b OU=Unix' for a computer named SERVER in an
Active Directory domain example.com would create a computer account in the
LDAP path: CN=SERVER,OU=Unix,DC=EXAMPLE,DC=COM. This option can also be
specified by setting the MSKTUTIL_LDAP_BASE environment variable to the
desired value.
If not specified, the default value is read from AD (and the
default there, unless modified by an admin, is CN=Computers for machine
accounts and CN=Users for service accounts).
- --computer-name
<name>
- Specifies that the new account should use <name> for the computer
account name and the SAM Account Name. Note that a '$' will be
automatically appended to the SAM Account Name. Defaults to the machine's
hostname, excluding the realm, with dots replaced with dashes.
That is: if the realm is EXAMPLE.COM, and the hostname is
FOO.EXAMPLE.COM, the default computer name is FOO. If the hostname is
FOO.BAR.EXAMPLE.COM, the default computer name is FOO-BAR.
- --account-name
<name>
- An alias for --computer-name that can be used when operating on service
accounts. Note that a '$' will not be automatically appended to the SAM
Account Name when using service accounts.
- --old-account-password
<password>
- Use supplied account password for authentication. This is useful if the
keytab does not yet exist but the password of the computer account is
known. This password will be changed by msktutil in order to create or
update the keytab
- --password
<new_password>
- Specify the new account password instead of generating a random one.
Consider the password policy settings when defining the string.
- --dont-change-password
- Do not create a new password. Try to use existing keys when performing
keytab updates or the old password when creating a new keytab. This is
useful for adding new SPNs to a machine or service account. This option is
only available in update or create mode. In create mode the old password
needs to be specified with --old-account-password
- -h, --hostname
<name>
- Overrides the current hostname to be used to be <name>. If this is
not specified, the local host name will be used. Note that the local name
lookup service will be to qualify and resolve names into fully-qualified
names, including a domain extension. This affects the default hostname for
other arguments, and the default computer-name. The hostname is also used
to set the dNSHostName attribute.
- -k, --keytab <file>
- Specifies to use <file> for the keytab. This option can also be
specified by setting the MSKTUTIL_KEYTAB environment variable to the name
of the desired keytab file. This keytab is both read from, in order to
authenticate as the given account, and written to, after updating the
account password. Default: /etc/krb5.keytab
- --keytab-auth-as
<name>
- Specifies which principal name we should try to use, when we authenticate
from a keytab. Normally, msktutil will try to use the account name or the
host principal for the current host. If this option is specified, instead
msktutil will try to use the given principal name first, and only fall
back to the default behavior if we fail to authenticate with the given
name. This option can be useful if you do not know the current password
for the relevant account, do not have a keytab with the account principal,
but you do have a keytab with a service principal associated with that
account.
- --server
<server>
- Specifies to use <server> as the domain controller. This affects
both kerberos and ldap operations. The server can also be specified by
setting the MSKTUTIL_SERVER environment variable. Default: looked up in
DNS from the realm name.
- --server-behind-nat
- When the server is behind a firewall that performs Network Address
Translation, KRB-PRIV messages fail validation. This is because the IP
address in the encrypted part of the message cannot be rewritten in the
NAT process. This option ignores the resulting error for the password
change process, allowing systems outside the NAT firewall to join the
domain managed by servers inside the NAT firewall.
- --realm
<realm>
- Specifies to use <realm> as kerberos realm. Default: use the
default_realm from [libdefaults] section of krb5.conf.
- --site <site>
- Find and use domain controller in specific AD site. This option is ignored
if option --server is used.
- -N, --no-reverse-lookups
- Do not attempt to canonicalize the name of the domain controller via DNS
reverse lookups. You may need to do this if your client cannot resolve the
PTR records for a domain controller or your DNS servers store incorrect
PTR records. Default: Use DNS reverse lookups to canonicalize DC
names.
- -n, --no-canonical-name
- Do not attempt to canonicalize the hostname while creating names of
kerberos principals. Instead use supplied hostname. This may be needed for
systems where forward and reverse DNS lookups do not return the same (an
dynamic dns system for example where lookup for myhost.mydomain returns IP
X.Y.Z.W , but lookup for IP X.Y.Z.W returns a name different than
myhost.mydomain).
- --user-creds-only
- Don't attempt to authenticate with a keytab: only use user's credentials
(from e.g. kinit). You may need to do this to modify certain attributes
that require Administrator credentials (description, userAccountControl,
userPrincipalName, in a default AD setup).
- --auto-update-interval
<days>
- Number of <days> when msktutil auto-update will change the account
password. Defaults to 30 days.
- -m, --sasl-mechanisms
<mechanisms list>
- A space-separated list of candidate SASL mechanisms to use when performing
the LDAP bind. The first mechanism in the list that is supported by both
the client (the host running msktutil) and the server (Active Directory)
will be used. If providing more than one candidate mechanism, make sure to
quote the list to protect the whitespace from the shell. Default:
"GSS-SPNEGO GSSAPI".
- --use-service-account
- Create and maintain service accounts instead of machine accounts.
- --delegation
- Enables the account to be trusted for delegation. This option can also be
enabled by setting the MSKTUTIL_DELEGATION environment variable. This
modifies the userAccountControl attribute. Generally requires
administrator credentials.
- --description
<text>
- Sets the account's description attribute to the given text (or removes if
text is ''). Generally requires administrator credentials.
- --disable-delegation
- Disables the account from being trusted for delegation. This modifies the
userAccountControl attribute. Generally requires administrator
credentials.
- --disable-no-pac
- Unsets the flag that disables the KDC's including of a PAC in the
machine's service tickets. This modifies the userAccountControl attribute.
Generally requires administrator credentials.
- --dont-expire-password
- Sets the DONT_EXPIRE_PASSSWORD bit in the userAccountControl attribute,
which disables password expiry for this account. If you don't run a cron
job to periodically rotate the keytab, you will want to set this flag.
Generally requires administrator credentials.
- --do-expire-password
- Unsets the DONT_EXPIRE_PASSWORD flag in the userAccountControl attribute.
Generally requires administrator credentials.
- --dont-update-dnshostname
- Do not update dnsHostName attribute. In some AD installations modification
of this attribute is not allowed (unless using administrator credentials),
using this option will avoid constraint violation warning.
- --enable
- Unsets the UF_ACCOUNT_DISABLE flag in the userAccountControl attribute.
When a computer leaves the domain this flag is normally set. Generally
requires administrator credentials.
- --enctypes
<integer>
- Sets the supported encryption types in the msDs-supportedEncryptionTypes
field.
You may OR together the following values:
0x1=des-cbc-crc
0x2=des-cbc-md5
0x4=rc4-hmac-md5
0x8=aes128-cts-hmac-sha1
0x10=aes256-cts-hmac-sha1
This value is used to determine which encryption types AD will
offer to use, and which encryption types to put in the keytab.
If the value is set to 0x3 (that is: only the two DES types),
it also attempts to set the DES-only flag in userAccountControl.
Note: Windows 2008R2 refuses to use DES by default; you thus
cannot use DES-only keys unless you have enabled DES encryption for your
domain first. Recent versions of MIT kerberos clients similarly refuse
to use DES by default.
Default: sets the value to 0x1C: that is, use anything but
DES.
- --allow-weak-crypto
- Enables the usage of DES keys for authentication. This is equivalent to
MIT's krb5.conf parameter allow_weak_crypto.
- --no-pac
- Specifies that service tickets for this account should not contain a PAC.
This modifies the userAccountControl attribute. See Microsoft Knowledge
Base article #832575 for details. This option can also be specified by
setting the MSKTUTIL_NO_PAC environment variable. Generally requires
administrator credentials.
- -s, --service
<principal>
- Specifies a service principal to add to the account (and thus keytab, if
appropriate). The service is of the form <service>/<hostname>.
If the hostname is omitted, assumes current hostname. May be specified
multiple times. When creating machine accounts, entries for the host
service are created by default, unless --service is given. Unqualified
service names (without a '/' component) are qualified with the full and
the short hostnames, eg. host/hostname.example.com and host/hostname.
- --remove-service
<principal>
- Specifies a service principal to remove from the account (and keytab if
appropriate).
- --upn <principal>
- Sets the userPrincipalName attribute of the computer account or service
account to be <principal>.
The userPrincipalName can be used in addition to the
sAMAccountName (e.g. computername$ for computer accounts) for kinit.
<principal> can be provided in short form (e.g.
host/hostname.example.com) or in long form (e.g.
host/hostname.example.com@EXAMPLE.COM). In short form the default realm
will automatically be appended.
This operation requires administrator privileges.
- --set-samba-secret
- Use Samba's net changesecretpw command to locally set the machine account
password in Samba's secrets.tdb. $PATH need to include Samba's net
command. Samba needs to be configured appropriately.
- --use-samba-cmd
<command>
- Use supplied command instead of Samba's net changesecretpw command.
command will be supplied machine account password on standard input and
shall return 0 exit code on success.
- --check-replication
- Wait until the password change is reflected in LDAP. By default, msktutil
exits once a password update is successful and the new keytab is written.
However, due to replication delays, LDAP queries might still return an
older key version number. If --check-replication is given, msktutil waits
until the key version number is updated on the queried LDAP server as
well. Note that this is just a sanity check: The new password is supposed
to be accepted on all domain controllers once the update succeeds, even if
LDAP is not yet in sync. Turning on this option might substantially
increase the runtime of msktutil in some environments due to replication
delays (eg. 15 to 30 minutes for common AD configurations). The default is
not to check LDAP replication.
- --remove-old
<number>
- Removes entries from the keytab that are older than <number> days.
The newest keytab entries will be kept to prevent a total cleanup. I.e. it
is not possible to produce an empty keytab with the --remove-old
option.
- --remove-enctype
<enctype>
- Removes entries from the keytab with given encryption type. Warning: it is
possible to produce empty keytabs with the --remove-empty option by
successively removing all encryption types. Supported enctype strings are:
des-cbc-crc,des-cbc-md5, arcfour, aes128 and aes256.
Be aware that Windows machines will, by default, automatically
change their account password every 30 days, and thus many domains have a
90-day password expiry window, after which your keytab will stop working.
There are two ways to deal with this:
a) (Preferred): Make sure you're running a daily cron job to run
msktutil auto-update, which will change the password automatically 30 days
after it was last changed and update the keytab.
b) (Not preferred): disable password expiry for the account via
the --dont-expire-password option (or otherwise setting DONT_EXPIRE_PASSWORD
flag in userAccountControl in AD).
This section only applies to msktutil --use-service-account.
While machine account passwords may be changed at any time,
service accounts are user accounts and your Active Directory domain may have
special password policies for those user accounts. E.g., "minimum
password age" is typically set to 1 day, which means that you will have
to wait for that time to pass until you may invoke msktutil update
--use-service-account.
Unlike other kerberos implementations, Active Directory has only a
single key for all of the principals associated with an account. So, if you
create a HTTP/hostname service principal, it will share the same key as the
host/hostname principal. If you want to isolate (security-wise) different
service principals, you may want to create a dedicated service account for
them (with --use-service-account) and a separate keytab file (with
--keytab).
Also note: kinit -k 'host/computername' *will not work*, by
default, even when that is a valid service principal existing in your
keytab. Active Directory does not allow you to authenticate as a service
principal, so do not use that as a test of whether the service principal is
working. If you actually want to authenticate as the computer account user,
kinit -k 'computername$' instead.
If you really need to be able to authenticate as
'host/computername', you can also use the --upn argument to set the
userPrincipalName attribute (generally requires administrator credentials,
not computer account credentials). Both 'computername$' and the value of
userPrincipalName are treated as valid account names to kinit as.
msktutil will use kerberized LDAP operations to talk to domain
controllers. To obtain a LDAP service ticket, the DNS service will be used
to construct the domain controllers LDAP principal name. If DNS is
misconfigured, this construction may fail. To work around this issue, you
may specify the fully qualified DNS name of your domain controller with the
--server option and additionally use the --no-reverse-lookups option.
Samba (www.samba.org) provides the net command that can be used to
manage kerberos keytabs as well. Using msktutil and commands like "net
ads join" or "net ads keytab" together can lead to trouble.
With the --set-samba-secret option, msktutil can be used as a replacement
for net.
Active Directory includes authorization data (e.g. information
about group memberships) in Kerberos tickets. This information is called PAC
and may lead to very large ticket sizes. Especially HTTP services are known
to produce failures if that size exceeds the HTTP header size. If your
service does not make use of that PAC information (which is true for most
Unix/Linux-services) you may just disable it with the --no-pac option.
For unprivileged users the most common invocations are:
msktutil create
This will create a computer account in Active Directory with a new
password and write out a new keytab.
msktutil update --service host --service HTTP
This will update a computer account in Active Directory with a new
password, write out a new keytab, and ensure that it has both
"host" and "HTTP" service principals are on it for the
hostname.
msktutil update --dont-change-password --service host --service HTTP
This will do the same as the last example but without changing the
password.
msktutil auto-update
This is useful in a daily cron job to check and rotate the
password automatically when it's 30 days old.
For users with admin privileges in AD, some common uses:
msktutil create --service host --service HTTP
This will create a computer account in Active Directory with a new
password, write out a new keytab, and ensure that it has both
"host" and "HTTP" service principals are on it for the
hostname.
msktutil pre-create --host computer1.example.com
This will pre-create an account for computer1 with the default
password using your credentials. This can be done on a central host, e.g. to
script the addition of many hosts. You can then use msktutil create on the
hosts themselves (without special credentials) to join them to the
domain.
msktutil create --host afs --service afs --enctypes 0x03
This will create an afs/cell.name@REALM principal, and associate
that principal with a computer account called 'afs'. The principal will be
marked as DES-only, which is required for AFS.
msktutil create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --account-name srv-http --no-pac
This will create an HTTP/hostname.example.com@REALM principal, and
associate that principal with a service account called 'srv-http'.
Corresponding Kerberos keys will be written to the keytab file
/etc/apache/krb5.keytab. The size of Kerberos tickets for that service will
stay small because no PAC information will be included.
msktutil create --keytab /etc/krb5/user/10123/client.keytab --use-service-account --account-name johndoe --dont-change-password --old-account-password <John Doe's Password>
This will create a keytab for johndoe without changing John Doe's
password
msktutil create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4
This will create a computer account in Active Directory that is
compatible with Samba. The command creates a new password, write out a new
keytab, and ensure that it includes both "host/hostname" and
"host/hostname.example.com" as service principals (which is
equivalent to what setspn.exe -R would do on windows). The new computer
password will be stored in Samba's secrets.tdb database to provide
interoperability with Samba. As Samba (version 3) only supports arcfour
encrypted Kerberos tickets the --enctypes option must be used to select only
that encryption type.
msktutil cleanup --remove-old 10
Deletes all entries older than 10 days, keeping at least the last
entry.
- MSKTUTIL_LDAP_BASE
- Specifies a relative LDAP base when creating a new account (see
--base),
- MSKTUTIL_KEYTAB
-
Specifies the keytab. Default: /etc/krb5.keytab (see --keytab),
- MSKTUTIL_SERVER
- Specifies the domain controller (see --server).
- MSKTUTIL_DELEGATION
- Enables the account to be trusted for delegation (see --delegation).
- MSKTUTIL_NO_PAC
- Specifies that service tickets for this account should not contain a PAC
(see --no-pac).
- MSKTUTIL_SAMBA_CMD
- Specifies the command to be used to locally set the machine account
password in Samba's secrets.tdb.
(C) 2004-2006 Dan Perry <dperry at pppl.gov>
(C) 2006 Brian Elliott Finley (finley at anl.gov)
(C) 2009-2010 Doug Engert (deengert at anl.gov)
(C) 2010 James Knight <foom at fuhm.net>
(C) 2010-2013 Ken Dreyer <ktdreyer at ktdreyer.com>
(C) 2012-2017 Mark Proehl <mark at mproehl.net>
(C) 2012-2017 Olaf Flebbe <of at oflebbe.de>
(C) 2013-2017 Daniel Kobras <d.kobras at
science-computing.de>