Additional Tasks

Removing Keytab Entries and Host Principals:

If you need to remove a Kerberos keytab entry and/or remove the host principal entry from the database, you will need to use the kadmin program again. You might need to do this if you are removing the application server from the network, or if there is a problem with the keys, or you have changed the host principal key.

In the following example, I will remove the key from the application server's keytab, then remove the host principal itself. In this example, I will do it all from the application server.

[root@labsrv1 root]# kadmin -p super/admin
Authenticating as principal super/admin with password.
Enter password:
kadmin:  listprincs host*
host/das-m.kerb.org@KERB.ORG
host/das-s.kerb.org@KERB.ORG
host/labdemo2.kerb.org@KERB.ORG
host/labsrv1.kerb.org@KERB.ORG
kadmin:  ktremove host/labsrv1.kerb.org@KERB.ORG
Entry for principal host/labsrv1.kerb.org@KERB.ORG with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/labsrv1.kerb.org@KERB.ORG with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
kadmin:  delprinc host/labsrv1.kerb.org@KERB.ORG
Are you sure you want to delete the principal "host/labsrv1.kerb.org@KERB.ORG"? (yes/no): yes
Principal "host/labsrv1.kerb.org@KERB.ORG" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin:  quit

Viewing the Contents of the Keytab:

You may have a need to know what Kerberos keys are in a particular host's keytab. This can be done with the ktutil command. For example, to view the keytab for host "labdemo2":

[root@labdemo2 root]# ktutil
ktutil:  ?
Available ktutil requests:
 
clear_list, clear        Clear the current keylist.
read_kt, rkt             Read a krb5 keytab into the current keylist.
read_st, rst             Read a krb4 srvtab into the current keylist.
write_kt, wkt            Write the current keylist to a krb5 keytab.
write_st, wst            Write the current keylist to a krb4 srvtab.
add_entry, addent        Add an entry to the current keylist.
delete_entry, delent     Delete an entry from the current keylist.
list, l                  List the current keylist.
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3  host/labdemo2.kerb.org@KERB.ORG
   2    3  host/labdemo2.kerb.org@KERB.ORG
   3    3  imap/labdemo2.kerb.org@KERB.ORG
   4    3  imap/labdemo2.kerb.org@KERB.ORG
ktutil:  quit