Creating a keytab file is straightforward.
$ ktuil
ktutil: add_entry -password -p principal -k knvo -e enctype
(enter password)
ktutil: write_kt keytabfile
ktutil quit
where
-
principal is your principal, e.g., bob@example.com or bob/hdfs@example.com for a more restricted principal
-
knvo is the key version number. 1 should be fine.
-
enctype is the encryption type. This is typically something like aes128-cts-hmac-sha1-96, des3-cbc-sha1, or arcfour-hmac. You should check with your system administrator to get the precise encryption types required. You can call this line multiple times, once for each encryption type.
-
keytabfile is your keytab file. It traditionally ends with the .keytab extension.
You can verify the new file with ‘klist -kt keytabfile’.
If the server principal does not exist yet:
$ kadmin
kadmin: add_principal principal
kadmin: ktadd -k keytabfile principal
If the server principal already exists:
$ kadmin
kdamin: ktadd -k keytabfile -norandkey principal
where principal is something like “hdfs/172.3.1.7@MYORG.EXAMPLE.COM”.
