Keytabs store Kerberos principals and keys. We use a keytab when we have key material and want kinit to create a normal MIT Kerberos cache.
Create a keytab manually with ktutil:
ktutil
addent -key -p 'gMSA01$@OOTW.LOCAL' -k 1 -e rc4-hmac
b3a15bbdfb1c53238d4b50ea2c4d1178
wkt gmsa01.keytab
quit
List keytab entries:
klist -k -t gmsa01.keytab
Request a TGT from the keytab:
export KRB5CCNAME=FILE:$(pwd)/gmsa01.ccache
kinit -V -k -t gmsa01.keytab 'gMSA01$@OOTW.LOCAL'
klist -e
Use the new cache:
export KRB5CCNAME=FILE:$(pwd)/gmsa01.ccache
nxc smb 10.10.10.200 -d ootw.local -u 'gMSA01$' -k --use-kcache
Common errors:
Key version number mismatch -> wrong KVNO
Preauthentication failed -> wrong key, enctype, or principal
Key table entry not found -> principal string does not match keytab
Bad encryption type -> local krb5 refuses the enctype
For lab-only weak crypto testing, add the needed enctype to /etc/krb5.conf, test, then revert the change.