tech jogging There are two ways to utilize Kerberos authentication: Kerberos ticket cache and Kerberos keytab. Windows has a limited set of tools to create a keytab file. There are a couple of tools for this purpose. One tool is the Windows Server built-in utility ktpass. It can be only run on a Windows Server. Another tool is ktab which can be used on any Windows computer. ktab tool is a part of Java installation.
1. ktpass
There are some restrict requirements to run the tool. It must be run on either a member server or a domain controller of the Active Directory domain. Windows Server operating system such as Windows Server 2008, 2012, or 2016 are supported. When running ktpass.exe, Windows Command Prompt must be run with Run as administrator option.
ktpass -princ [Windows user name]@[Realm name] -pass [Password] -crypto [Encryption type] -ptype [Principle type] -kvno [Key version number] -out [Keytab file path]
- [Windows user name] - mywindowsname.
- [Realm name] - SAMPLE.COM.
- [Password] - mywindowsname user password.
- [Encryption type] - RC4-HMAC-NT. See RFC 3961, section 8.
- [Principle type] - KRB5_NT_PRINCIPAL which is Kerberos protocol 5.
- [Key version number] - 0.
- [Keytab file path] - c:\kerberos\keytabname.keytab.
2. ktab
It requests to install Java JRE or SDK or open source equivalent, for example, OpenJDK. The tool has a limited set of options.
It can't be defined encryption and principle types. It will be used Kerberos protocol 5 and it will be created multiple encryption types.
ktab -a [Windows user name]@[Realm name] [Password] -n [Key version number] -k [Keytab file path]
List all encryption types stored in a keytab file
ktab -l -e -k [Keytab file path]
If multiple encryption types are not accepted in authentication process, it can be left one encryption type and the rest can be deleted.
ktab -d [Windows user name]@[Realm name] -f -e [Number of encryption type] -k [Keytab file path]
- [Number of encryption type], for example, 16. See RFC 3961, section 8 for the full list of values.
3. Usage Samples
3.1. DBeaver connection to Hive with Kerberos Authentication
It can be created multiple encryption types in a keytab file.
Create a keytab file
ktab -a mywindowsname@SAMPLE.COM mypassword -n 0 -k c:\kerberos\mywindowsname.keytab Done! Service key for mywindowsname@SAMPLE.COM is saved in c:\kerberos\mywindowsname.keytab
List content of the keytab file
ktab -l -e -k c:\kerberos\mywindowsname.keytab Keytab name: c:\kerberos\mywindowsname.keytab KVNO Principal ---- --------------------------------------------------------------- 0 mywindowsname@SAMPLE.COM (18:AES256 CTS mode with HMAC SHA1-96) 0 mywindowsname@SAMPLE.COM (17:AES128 CTS mode with HMAC SHA1-96) 0 mywindowsname@SAMPLE.COM (16:DES3 CBC mode with SHA1-KD) 0 mywindowsname@SAMPLE.COM (23:RC4 with HMAC)
3.2. Talend tHDFSConnection Component with Kerberos Authentication
It should be one encryption type in a keytab file, for example, 23.
Create a keytab file
ktab -a mywindowsname@SAMPLE.COM mypassword -n 0 -k c:\kerberos\mywindowsname.keytab Done! Service key for mywindowsname@SAMPLE.COM is saved in c:\kerberos\mywindowsname.keytab
List content of the keytab file
ktab -l -e -k c:\kerberos\mywindowsname.keytab Keytab name: c:\kerberos\mywindowsname.keytab KVNO Principal ---- --------------------------------------------------------------- 0 mywindowsname@SAMPLE.COM (18:AES256 CTS mode with HMAC SHA1-96) 0 mywindowsname@SAMPLE.COM (17:AES128 CTS mode with HMAC SHA1-96) 0 mywindowsname@SAMPLE.COM (16:DES3 CBC mode with SHA1-KD) 0 mywindowsname@SAMPLE.COM (23:RC4 with HMAC)
Delete unused encryption types ## 16-18
ktab -d mywindowsname@SAMPLE.COM -f -e 16 -k c:\kerberos\mywindowsname.keytab Done! 1 entries removed. ktab -d mywindowsname@SAMPLE.COM -f -e 17 -k c:\kerberos\mywindowsname.keytab Done! 1 entries removed. ktab -d mywindowsname@SAMPLE.COM -f -e 18 -k c:\kerberos\mywindowsname.keytab Done! 1 entries removed.
List content of the keytab file again
ktab -l -e -k c:\kerberos\mywindowsname.keytab Keytab name: c:\kerberos\mywindowsname.keytab KVNO Principal ---- --------------------------------------------------------------- 0 mywindowsname@SAMPLE.COM (23:RC4 with HMAC)
4. Encryption types
As per RFC 3961, section 8.
| Encryption Type | Code | Section or Comment |
|---|---|---|
| des-cbc-crc | 1 | 6.2.3 |
| des-cbc-md4 | 2 | 6.2.2 |
| des-cbc-md5 | 3 | 6.2.1 |
| [reserved] | 4 | |
| des3-cbc-md5 | 5 | |
| [reserved] | 6 | |
| des3-cbc-sha1 | 7 | |
| dsaWithSHA1-CmsOID | 9 | (pkinit) |
| md5WithRSAEncryption-CmsOID | 10 | (pkinit) |
| sha1WithRSAEncryption-CmsOID | 11 | (pkinit) |
| rc2CBC-EnvOID | 12 | (pkinit) |
| rsaEncryption-EnvOID | 13 | (pkinit from PKCS#1 v1.5) |
| rsaES-OAEP-ENV-OID | 14 | (pkinit from PKCS#1 v2.0) |
| des-ede3-cbc-Env-OID | 15 | (pkinit) |
| des3-cbc-sha1-kd | 16 | 6.3 |
| aes128-cts-hmac-sha1-96 | 17 | [KRB5-AES] |
| aes256-cts-hmac-sha1-96 | 18 | [KRB5-AES] |
| rc4-hmac | 23 | (Microsoft) |
| rc4-hmac-exp | 24 | (Microsoft) |
| subkey-keymaterial | 65 | (opaque; PacketCable) |
Comments
comments powered by Disqus