Authentication Windows domain users on Linux servers - keytab:ActiveDirectory

Stories from the life of a Windows domain:

Do you know the password of the Linux host-A? Im not quite sure, maybe it is "init" - "password" - "barack".

Isn't it stupid that you are guessing the passwords every time you want to connect to a linux server within a Windows domain?

Wouldn't it be pretty cool if domain users can authenticate to your Linux server with their domain credentials?

No more password guessing, password excel sheets or crypted databases!

I'll show you how to do that with keytab and a little script written by my own.

You can join the domain and configure everything without using a keytab, but manually entering the password is irritating.

First of all, we need to create the keytab file. We need the key version number of the domain account you want to use for keytab credentials. Everytime you change the domain password of an user, the key version number is incremented. To find out your current number you can use ADSIEdit or ldapsearch:

$ ldapsearch -x -h DOMAINSERVER.LOCAL.LAN -D 'DOMAINUSER@local.lan' -W  -b 'dc=local,dc=lan' '(sAMAccountName=DOMAINUSER)' msDS-KeyVersionNumber
# msDS-KeyVersionNumber: 2

Key version number is 2. Now we can create the keytab by using ktutil:

$ ktutil
ktutil:  addent -password -p DOMAINUSER@LOCAL.LAN -k 2 -e RC4-HMAC
Password for DOMAINUSER@LOCAL.LAN: <enter the password>
ktutil:  wkt /etc/krb5.keytab.DOMAINUSER
ktutil:  q

After we created the keytab, we can check the file with klist:

$ klist -k -t /etc/krb5.keytab.DOMAINUSER
Keytab name: FILE:/etc/krb5.keytab.DOMAINUSER
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 02.10.2015 12:16:34 DOMAINUSER@LOCAL.LAN

The keytab file is ready to use. We need to store this keytab file in a central location, where it can be downloaded really easily.

We use our mecurial repository for storing the domain join keytab file.

You can now download this little script and change the line 212:

212: wget <LINK-TO-YOUR-KEYTAB-FILE> --> insert the url, where your keytab is stored.
Show Script

When it's done, you can start joining your domain, by using the ./

The needed parameters are:

echo "-D | --domain    # Enter your Domainname ex. LOCAL.LAN"
echo "-H | --hostname  # Enter your Hostname - not FQDN!"
echo "-W | --workgroup # Enter your WORKGROUP ex. LOCAL"
echo "-G | --groups    # Enter your AD-Groups which are allowed to connect to the server -
             ex. -G \"Domain Admins\" -G \"Domain Users\" - quotation marks needed
             You can add multiple groups at once by seperated -G"


./ -D LOCAL.LAN -H DOMAINSERVER.LOCAL.LAN -W LOCAL -G "Domain Admins" -G "Linuxadmins"

You can now authenticate to your linux servers by using your windows ad credentials. Just add your users to the needed or wanted groups and your done.

Next and missing step is a NFS-shared Home-Directory which is automatically mounted, when you connect to a linux server. To be continued...

Special thanks and greetings to Svedrin.


Comments powered by Disqus