What is a keytab exactly?

To answer your two questions, every user and service does not need a keytab file and keytabs use symmetric key cryptography.

I’m going to explain a bit more based on my understanding on how keytabs are used in mixed networks of Windows and non-Windows systems using Active Directory as the directory service. If the directory service is something other than AD, which is the most popular directory service out there, then I am not as familiar with how the keytab would be used but I imagine the concepts would be the exact same since it is all based on Kerberos. Again, in enterprise networks, every user and service does not need a keytab file.

Keytabs are cryptographic files containing a representation of the service and its long-term key (what Samson referred to as the password) as it exists in the directory service. In an Active Directory realm, keytabs are especially useful for services running on a non-Windows platform protected by the Kerberos protocol.

Keytabs are used to either

  1. de-crypt the Kerberos service ticket of an inbound AD user to the service
  2. or authenticate the service itself to another service on the network.

Point #2 is especially useful, since as Samson said, a service cannot manually type in it’s password to authenticate itself, so the long-term key is helpfully encoded into the file. This is why the keytab file itself is sensitive and needs to be protected.

For additional in-depth information regarding keytabs, you can read more about keytabs here: Kerberos Keytabs – Explained.

I frequently go back and edit it based on questions I see here in this forum.

Leave a Comment