Provided by: msktutil_0.5.1-1_amd64 bug

NAME

       msktutil - fetches and manages kerberos keytabs in an Active Directory environment

SYNOPSIS

       msktutil [command 1] [command 2] [command 3] ...

DESCRIPTION

       msktutil  is a Unix/Linux keytab client for Microsoft Active Directory environments.  This
       program is capable of creating accounts in Active Directory, adding service principals  to
       those  accounts,  and creating local keytab files so that kerberizied services can utilize
       Active directory as a Kerberos realm.  msktutil will create and manage machine accounts by
       default.   The  --use-service-account  option  lets  msktutil operate on service accounts.
       msktutil requires that the Kerberos client libraries are properly installed and configured
       to use Active Directory as a realm.

       Whenever  a  principal  is  added  or  a  keytab  is  updated, the secret password for the
       corresponding account is changed.  By default, the password is not stored, so it needs  to
       be  reset each time msktutil is executed.  All entries in the keytab will be automatically
       updated whenever the password is reset.  The previous entries will be left in the  keytab,
       so  sessions using the older key versions will not break.  This behavior is similar to the
       way Windows hosts handle machine password changes.

CREDENTIALS

       There are two common methods of  using  this  program.   The  first  is  to  "kinit"  with
       Administrator-like  credentials  which  have permission to create computer objects in your
       Active Directory server.  If you invoke the program with such credentials, you can  create
       a new computer account or service account from scratch.

       The  second  is to pre-create the accounts with such credentials, and then invoke msktutil
       on a machine without any special  permissions.   When  the  computer  account  or  service
       account exists already, msktutil will attempt to authenticate as that account using either
       the existing keytab, or if that fails, a default password.  When that default password  is
       not  specified  with  the  option  --old-account-password,  msktutil  will use the default
       machine password.  It will then change the password and update the  keytab  appropriately.
       This is usually the more convenient option when joining many computers to the domain.

       To  pre-create  a  computer  account, you may use the Active Directory Users and Computers
       GUI, select "new computer" from the right click menu, and type the short  DNS  name,  then
       right  click on the newly created object and select "Reset account" to set the password to
       the default value.  Another  alternative  is  to  invoke  msktutil  with  the  --precreate
       argument.  Both methods accomplish the same thing.

       To pre-create a service account, you may use the Active Directory Users and Computers GUI,
       select "new user" from the right click menu, fill in all required data, set  the  password
       to  a  specific  value and use setspn.exe to set the desired servicePrincipalName(s).  You
       may also select "must change password at next logon".

PASSWORD EXPIRY

       Be aware that Windows machines  will,  by  default,  automatically  change  their  account
       password  every 30 days, and thus many domains have a 90-day password expiry window, after
       which your keytab will stop working.  There are two ways to deal with this:

       a) (Preferred): Make sure you're running a daily cron job to run  msktutil  --auto-update,
       which  will change the password automatically 30 days after it was last changed and update
       the keytab.

       b) (Not preferred): disable password expiry for the account via the --dont-expire-password
       option (or otherwise setting DONT_EXPIRE_PASSWORD flag in userAccountControl in AD).

PASSWORD POLICY ISSUES

       This section only applies to msktutil --use-service-account.

       While  machine  account  passwords  may  be changed at any time, service accounts are user
       accounts and your Active Directory domain may have special  password  policies  for  those
       user  accounts.   E.g., "minimum password age" is typically set to 1 day, which means that
       you will have to wait for that time to pass until you may invoke msktutil --update  --use-
       service-account.

OTHER NOTES

       Unlike  other  kerberos implementations, Active Directory has only a single key for all of
       the principals associated with an account.  So, if  you  create  a  HTTP/hostname  service
       principal,  it  will  share  the  same key as the host/hostname principal.  If you want to
       isolate (security-wise) different service principals, you may want to create  a  dedicated
       service  account  for  them  (with --use-service-account) and a separate keytab file (with
       --keytab).

       Also note: kinit -k 'host/computername' *will not work*, by default, even when that  is  a
       valid  service  principal existing in your keytab.  Active Directory does not allow you to
       authenticate as a service principal, so do not use that as a test of whether  the  service
       principal  is working.  If you actually want to authenticate as the computer account user,
       kinit -k 'computername$' instead.

       If you really need to be able to authenticate as 'host/computername', you can also use the
       --upn  argument  to  set the userPrincipalName attribute (generally requires administrator
       credentials, not computer account credentials).  Both 'computername$'  and  the  value  of
       userPrincipalName are treated as valid account names to kinit as.

       msktutil  will  use kerberized LDAP operations to talk to domain controllers.  To obtain a
       LDAP service ticket, the DNS service will be used to construct the domain controllers LDAP
       principal  name.   If  DNS  is mis-configured, this construction may fail.  To work around
       this issue,  you may specify the fully qualified DNS name of your domain  controller  with
       the --server option and additionally use the --no-reverse-lookups option.

       Samba (www.samba.org) provides the net command that can be used to manage kerberos keytabs
       as well.  Using msktutil and commands like "net ads join" or "net ads keytab" together can
       lead  to  trouble.   With  the  --set-samba-secret  option,  msktutil  can  be  used  as a
       replacement for net.

       Active Directory includes authorization data (e.g. information about group memberships) in
       Kerberos tickets.  This information is called PAC and may lead to very large ticket sizes.
       Especially HTTP services are known to produce failures  if  that  size  exceeds  the  HTTP
       header size.  If your service does not make use of that PAC information (which is true for
       most Unix/Linux-services) you may just disable it with the --no-pac option.

MODES

       -v, --version
              Displays version information

       --help Displays a help message

       -c, --create
              Creates a keytab for the current host or a given service  account.   Equivalent  to
              --update --service host.

       -f, --flush
              Flushes  out  all principals for the current accountname from the keytab, and makes
              corresponding changes to the machine or service account.

       -u, --update
              Forces a password change and updates all related service principal entries from the
              servicePrincipalName  and  userPrincipalName attributes.  Updates dNSDomainName for
              machine accounts and always updates msDS-supportedEncryptionTypes  attributes  with
              current values, and applies other changes as specified.

       --auto-update
              Checks  if  the  password  is at least 30 days old (from pwdLastSet attribute), and
              that the account does not have password expiry disabled.  If those  conditions  are
              met,  acts  just  like  --update.   Will  also  update  if  the  keytab  failed  to
              authenticate but the default password did work (e.g. after resetting the account in
              AD).   Otherwise, exits without doing anything (even if attribute modifying options
              are given).  This option is intended for use from a daily crontab  to  ensure  that
              the password is rotated regularly.

       --precreate
              Pre-create  (or  update) an account for the given host with default password.  Does
              not use or update local keytab.  Requires -h or --computer-name argument.   Implies
              --user-creds-only.  Generally requires administrator credentials.

CONNECTION/SETUP OPTIONS

       -b, --base <base>
              Specifies  a  relative  LDAP  base  when  creating  a  new  account.   For example,
              specifying '-b OU=Unix' for a computer named SERVER in an Active  Directory  domain
              example.com    would    create    a    computer   account   in   the   LDAP   path:
              CN=SERVER,OU=Unix,DC=EXAMPLE,DC=COM.  This option can also be specified by  setting
              the MSKTUTIL_LDAP_BASE environment variable to the desired value.

              If  not specified, the default value is read from AD (and the default there, unless
              modified by an admin, is CN=Computers for machine accounts and CN=Users for service
              accounts).

       --computer-name <name>
              Specifies  that the new account should use <name> for the computer account name and
              the SAM Account Name.  Note that a '$' will be automatically appended  to  the  SAM
              Account  Name.   Defaults to the machine's hostname, excluding the realm, with dots
              replaced with dashes.

              That is: if the realm is EXAMPLE.COM, and  the  hostname  is  FOO.EXAMPLE.COM,  the
              default  computer name is FOO.  If the hostname is FOO.BAR.EXAMPLE.COM, the default
              computer name is FOO-BAR.

       --account-name <name>
              An alias for --computer-name that can be used when operating on  service  accounts.
              Note  that  a  '$'  will not be automatically appended to the SAM Account Name when
              using service accounts.

       --old-account-password <password>
              Use supplied account password for authentication.  This is  useful  if  the  keytab
              does  not  yet  exist  but  the  password  of  the computer account is known.  This
              password will be changed by msktutil in order to create or update the keytab

       -h, --hostname <name>
              Overrides the current hostname to be used to be <name>.  If this is not  specified,
              the  local host name will be used.  Note that the local name lookup service will be
              to qualify and  resolve  names  into  fully-qualified  names,  including  a  domain
              extension.   This affects the default hostname for other arguments, and the default
              computer-name.  The hostname is also used to set the dNSDomainName attribute.

       -k, --keytab <file>
              Specifies to use <file> for the keytab.  This  option  can  also  be  specified  by
              setting  the MSKTUTIL_KEYTAB environment variable to the name of the desired keytab
              file.  This keytab is both read  from,  in  order  to  authenticate  as  the  given
              account,   and   written   to,  after  updating  the  account  password.   Default:
              /etc/krb5.keytab --keytab-auth-as <name> Specifies which principal name  we  should
              try  to use, when we authenticate from a keytab. Normally, msktutil will try to use
              the account name or the host principal for the current  host.  If  this  option  is
              specified,  instead  msktutil  will  try to use the given principal name first, and
              only fall back to the default behavior if we fail to authenticate  with  the  given
              name.  This  option  can  be useful if you do not know the current password for the
              relevant account, do not have a keytab with the account principal, but you do  have
              a keytab with a service principal associated with that account.

       --server <server>
              Specifies to use <server> as the domain controller.  This affects both kerberos and
              ldap operations.  The server can also be specified by setting  the  MSKTUTIL_SERVER
              environment variable.  Default: looked up in DNS from the realm name.

       --server-behind-nat
              When  the  server  is  behind a firewall that performs Network Address Translation,
              KRB-PRIV messages fail  validation.   This  is  because  the  IP  adddress  in  the
              encrypted  part of the message cannot be rewritten in the NAT process.  This option
              ignores the resulting error for  the  password  change  process,  allowing  systems
              outside  the  NAT  firewall  to  join  the domain managed by servers inside the NAT
              firewall.

       --realm <realm>
              Specifies to use <realm> as kerberos realm.  Default: use  the  default_realm  from
              [libdefaults] section of krb5.conf.

       --site <site>
              Find  and  use  domain  controller  in  specific AD site. This option is ignored if
              option --server is used.

       -N, --no-reverse-lookup
              Do not attempt to canonicalize the name of the domain controller  via  DNS  reverse
              lookups.  You may need to do this if your client cannot resolve the PTR records for
              a domain controller or your DNS servers store incorrect PTR records.  Default:  Use
              DNS reverse lookups to canonicalize DC names.

       --user-creds-only
              Don't attempt to authenticate with a keytab: only use user's credentials (from e.g.
              kinit).  You may need  to  do  this  to  modify  certain  attributes  that  require
              Administrator credentials (description, userAccountControl, userPrincipalName, in a
              default AD setup).

       --verbose
              Enables verbose status messages.  May be specified  more  then  once  to  get  LDAP
              debugging.

OBJECT TYPE/ATTRIBUTE-SETTING OPTIONS

       --use-service-account
              Create and maintain service accounts instead of machine accounts.

       --delegation
              Enables  the account to be trusted for delegation.  This option can also be enabled
              by  setting  the  MSKTUTIL_DELEGATION  environment  variable.   This  modifies  the
              userAccountControl attribute.  Generally requires administrator credentials.

       --description <text>
              Sets  the  account's description attribute to the given text (or removes if text is
              '').  Generally requires administrator credentials.

       --disable-delegation
              Disables the  account  from  being  trusted  for  delegation.   This  modifies  the
              userAccountControl attribute.  Generally requires administrator credentials.

       --disable-no-pac
              Unsets the flag that disables the KDC's including of a PAC in the machine's service
              tickets.  This  modifies  the  userAccountControl  attribute.   Generally  requires
              administrator credentials.

       --dont-expire-password
              Sets  the  DONT_EXPIRE_PASSSWORD  bit  in  the  userAccountControl attribute, which
              disables password expiry for this  account.   If  you  don't  run  a  cron  job  to
              periodically rotate the keytab, you will want to set this flag.  Generally requires
              administrator credentials.

       --do-expire-password
              Unsets  the  DONT_EXPIRE_PASSWORD  flag  in   the   userAccountControl   attribute.
              Generally requires administrator credentials.

       --enctypes <integer>
              Sets the supported encryption types in the msDs-supportedEncryptionTypes field.

              You may OR together the following values:
                0x1=des-cbc-crc
                0x2=des-cbc-md5
                0x4=rc4-hmac-md5
                0x8=aes128-cts-hmac-sha1
                0x10=aes256-cts-hmac-sha1

              This  value  is  used to determine which encryption types AD will offer to use, and
              which encryption types to put in the keytab.

              If the value is set to 0x3 (that is: only the two DES types), it also  attempts  to
              set the DES-only flag in userAccountControl.

              Note:  Windows  2008R2  refuses to use DES by default; you thus cannot use DES-only
              keys unless you have enabled DES encryption for your domain first.  Recent versions
              of MIT kerberos clients similarly refuse to use DES by default.

              Default: sets the value to 0x1C: that is, use anything but DES.

       --allow-weak-crypto
              Enables  the  usage  of  DES  keys  for authentication. This is equivalent to MIT's
              krb5.conf parameter allow_weak_crypto.

       --no-pac
              Specifies that service tickets for this account should not  contain  a  PAC.   This
              modifies  the  userAccountControl  attribute.  See Microsoft Knowledge Base article
              #832575  for  details.   This  option  can  also  be  specified  by   setting   the
              MSKTUTIL_NO_PAC    environment    variable.    Generally   requires   administrator
              credentials.

       -s, --service <principal>
              Specifies a  service  principal  to  add  to  the  account  (and  thus  keytab,  if
              appropriate).  The service is of the form <service>/<hostname>.  If the hostname is
              omitted, assumes current hostname.  May be specified multiple times.

       --remove-service <principal>
              Specifies  a  service  principal  to  remove  from  the  account  (and  keytab   if
              appropriate).

       --upn <principal>
              Sets  the  userPrincipalName  on  the  computer  account  or  service account to be
              <principal>.  Note that the realm will  automatically  be  appended  to  the  value
              given.   The  userPrincipalName  is  an additional name which can be used to kinit.
              This is generally unnecessary, since you can always authenticate as the name  given
              by  --accountname  (i.e.  computername$  for  computer  accounts)  whether  or  not
              userPrincipalName is set.  Generally requires administrator credentials.

       --set-samba-secret
              Use Samba's net changesecretpw command to locally set the machine account  password
              in Samba's secrets.tdb.  $PATH need to include Samba's net command.  Samba needs to
              be configured appropriately.

EXAMPLES

       For unprivileged users the most common invocations are:

       msktutil --update --service host --service HTTP

       This will update a computer account in Active Directory with a new password, write  out  a
       new keytab, and ensure that it has both "host" and "HTTP" service principals are on it for
       the hostname.

       msktutil --auto-update

       This is useful in a daily cron job to check and rotate  the  password  automatically  when
       it's 30 days old.

       For users with admin privileges in AD, some common uses:

       msktutil --create --service host --service HTTP

       This  will  create a computer account in Active Directory with a new password, write out a
       new keytab, and ensure that it has both "host" and "HTTP" service principals are on it for
       the hostname.

       msktutil --precreate --host computer1.example.com

       This  will  pre-create  an  account  for  computer1  with  the default password using your
       credentials.  This can be done on a central host, e.g. to  script  the  addition  of  many
       hosts.   You  can  then  use  msktutil  --create  on the hosts themselves (without special
       credentials) to join them to the domain.

       msktutil --host afs --service afs --enctypes 0x03

       This will create an afs/cell.name@REALM principal, and associate  that  principal  with  a
       computer  account  called  'afs'.   The  principal  will  be  marked as DES-only, which is
       required for AFS.

       msktutil --create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --accountname srv-http --no-pac

       This  will  create  an  HTTP/hostname.example.com@REALM  principal,  and  associate   that
       principal  with  a service account called 'srv-http'.  Corresponding Kerberos keys will be
       written to the keytab file /etc/apache/krb5.keytab.  The size of Kerberos tickets for that
       service will stay small because no PAC information will be included.

       msktutil --create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4

       This  will  create  a  computer account in Active Directory that is compatible with Samba.
       The command creates a new password, write out a new keytab, and ensure  that  it  includes
       both  "host/hostname"  and  "host/hostname.example.com"  as  service  principals (which is
       equivalent to what setspn.exe -R would do on windows).  The new computer password will  be
       stored  in  Samba's secrets.tdb database to provide interoperability with Samba.  As Samba
       (version 3) only supports arcfour-encrypted Kerberos tickets the --enctypes option must be
       used to select only that encryption type.

AUTHOR

        (C) 2004-2006 Dan Perry <dperry@pppl.gov>
        (C) 2006 Brian Elliott Finley (finley@anl.gov)
        (C) 2009-2010 Doug Engert (deengert@anl.gov)
        (C) 2010 James Knight <foom@fuhm.net>

                                              0.5.1                                   msktutil(1)