|Displays version information|
|--help||Displays a help message|
|Creates a keytab for the current host or a given service account. Equivalent to --update --service host.|
|Flushes out all principals for the current accountname from the keytab, and makes corresponding changes to the machine or service account.|
|Forces a password change and updates all related service principal entries from the servicePrincipalName and userPrincipalName attributes. Updates dNSDomainName for machine accounts and always updates msDS-supportedEncryptionTypes attributes with current values, and applies other changes as specified.|
|Checks if the password is at least 30 days old (from pwdLastSet attribute), and that the account does not have password expiry disabled. If those conditions are met, acts just like --update. Will also update if the keytab failed to authenticate but the default password did work (e.g. after resetting the account in AD). Otherwise, exits without doing anything (even if attribute modifying options are given). This option is intended for use from a daily crontab to ensure that the password is rotated regularly.|
|Pre-create (or update) an account for the given host with default password. Does not use or update local keytab. Requires -h or --computer-name argument. Implies --user-creds-only. Generally requires administrator credentials.|
-b, --base <base> Specifies a relative LDAP base when creating a new account. For example, specifying -b OU=Unix for a computer named SERVER in an Active Directory domain example.com would create a computer account in the LDAP path: CN=SERVER,OU=Unix,DC=EXAMPLE,DC=COM. This option can also be specified by setting the MSKTUTIL_LDAP_BASE environment variable to the desired value.
If not specified, the default value is read from AD (and the default there, unless modified by an admin, is CN=Computers for machine accounts and CN=Users for service accounts).
--computer-name <name> Specifies that the new account should use <name> for the computer account name and the SAM Account Name. Note that a $ will be automatically appended to the SAM Account Name. Defaults to the machines hostname, excluding the realm, with dots replaced with dashes.
That is: if the realm is EXAMPLE.COM, and the hostname is FOO.EXAMPLE.COM, the default computer name is FOO. If the hostname is FOO.BAR.EXAMPLE.COM, the default computer name is FOO-BAR.
--account-name <name> An alias for --computer-name that can be used when operating on service accounts. Note that a $ will not be automatically appended to the SAM Account Name when using service accounts. --old-account-password <password> Use supplied account password for authentication. This is useful if the keytab does not yet exist but the password of the computer account is known. This password will be changed by msktutil in order to create or update the keytab -h, --hostname <name> Overrides the current hostname to be used to be <name>. If this is not specified, the local host name will be used. Note that the local name lookup service will be to qualify and resolve names into fully-qualified names, including a domain extension. This affects the default hostname for other arguments, and the default computer-name. The hostname is also used to set the dNSDomainName attribute. -k, --keytab <file> Specifies to use <file> for the keytab. This option can also be specified by setting the MSKTUTIL_KEYTAB environment variable to the name of the desired keytab file. This keytab is both read from, in order to authenticate as the given account, and written to, after updating the account password. Default: /etc/krb5.keytab --keytab-auth-as <name> Specifies which principal name we should try to use, when we authenticate from a keytab. Normally, msktutil will try to use the account name or the host principal for the current host. If this option is specified, instead msktutil will try to use the given principal name first, and only fall back to the default behavior if we fail to authenticate with the given name. This option can be useful if you do not know the current password for the relevant account, do not have a keytab with the account principal, but you do have a keytab with a service principal associated with that account. --server <server> Specifies to use <server> as the domain controller. This affects both kerberos and ldap operations. The server can also be specified by setting the MSKTUTIL_SERVER environment variable. Default: looked up in DNS from the realm name. --server-behind-nat When the server is behind a firewall that performs Network Address Translation, KRB-PRIV messages fail validation. This is because the IP adddress in the encrypted part of the message cannot be rewritten in the NAT process. This option ignores the resulting error for the password change process, allowing systems outside the NAT firewall to join the domain managed by servers inside the NAT firewall. --realm <realm> Specifies to use <realm> as kerberos realm. Default: use the default_realm from [libdefaults] section of krb5.conf. --site <site> Find and use domain controller in specific AD site. This option is ignored if option --server is used. -N, --no-reverse-lookup Do not attempt to canonicalize the name of the domain controller via DNS reverse lookups. You may need to do this if your client cannot resolve the PTR records for a domain controller or your DNS servers store incorrect PTR records. Default: Use DNS reverse lookups to canonicalize DC names. --user-creds-only Dont attempt to authenticate with a keytab: only use users credentials (from e.g. kinit). You may need to do this to modify certain attributes that require Administrator credentials (description, userAccountControl, userPrincipalName, in a default AD setup). --verbose Enables verbose status messages. May be specified more then once to get LDAP debugging.
--use-service-account Create and maintain service accounts instead of machine accounts. --delegation Enables the account to be trusted for delegation. This option can also be enabled by setting the MSKTUTIL_DELEGATION environment variable. This modifies the userAccountControl attribute. Generally requires administrator credentials. --description <text> Sets the accounts description attribute to the given text (or removes if text is ). Generally requires administrator credentials. --disable-delegation Disables the account from being trusted for delegation. This modifies the userAccountControl attribute. Generally requires administrator credentials. --disable-no-pac Unsets the flag that disables the KDCs including of a PAC in the machines service tickets. This modifies the userAccountControl attribute. Generally requires administrator credentials. --dont-expire-password Sets the DONT_EXPIRE_PASSSWORD bit in the userAccountControl attribute, which disables password expiry for this account. If you dont run a cron job to periodically rotate the keytab, you will want to set this flag. Generally requires administrator credentials. --do-expire-password Unsets the DONT_EXPIRE_PASSWORD flag in the userAccountControl attribute. Generally requires administrator credentials. --enctypes <integer> Sets the supported encryption types in the msDs-supportedEncryptionTypes field.
You may OR together the following values:
This value is used to determine which encryption types AD will offer to use, and which encryption types to put in the keytab.
If the value is set to 0x3 (that is: only the two DES types), it also attempts to set the DES-only flag in userAccountControl.
Note: Windows 2008R2 refuses to use DES by default; you thus cannot use DES-only keys unless you have enabled DES encryption for your domain first. Recent versions of MIT kerberos clients similarly refuse to use DES by default.
Default: sets the value to 0x1C: that is, use anything but DES.
--allow-weak-crypto Enables the usage of DES keys for authentication. This is equivalent to MITs krb5.conf parameter allow_weak_crypto. --no-pac Specifies that service tickets for this account should not contain a PAC. This modifies the userAccountControl attribute. See Microsoft Knowledge Base article #832575 for details. This option can also be specified by setting the MSKTUTIL_NO_PAC environment variable. Generally requires administrator credentials. -s, --service <principal> Specifies a service principal to add to the account (and thus keytab, if appropriate). The service is of the form <service>/<hostname>. If the hostname is omitted, assumes current hostname. May be specified multiple times. --remove-service <principal> Specifies a service principal to remove from the account (and keytab if appropriate). --upn <principal> Sets the userPrincipalName on the computer account or service account to be <principal>. Note that the realm will automatically be appended to the value given. The userPrincipalName is an additional name which can be used to kinit. This is generally unnecessary, since you can always authenticate as the name given by --accountname (i.e. computername$ for computer accounts) whether or not userPrincipalName is set. Generally requires administrator credentials. --set-samba-secret Use Sambas net changesecretpw command to locally set the machine account password in Sambas secrets.tdb. $PATH need to include Sambas net command. Samba needs to be configured appropriately.
For unprivileged users the most common invocations are:
msktutil --update --service host --service HTTP
This will update a computer account in Active Directory with a new password, write out a new keytab, and ensure that it has both "host" and "HTTP" service principals are on it for the hostname.
This is useful in a daily cron job to check and rotate the password automatically when its 30 days old.
For users with admin privileges in AD, some common uses:
msktutil --create --service host --service HTTP
This will create a computer account in Active Directory with a new password, write out a new keytab, and ensure that it has both "host" and "HTTP" service principals are on it for the hostname.
msktutil --precreate --host computer1.example.com
This will pre-create an account for computer1 with the default password using your credentials. This can be done on a central host, e.g. to script the addition of many hosts. You can then use msktutil --create on the hosts themselves (without special credentials) to join them to the domain.
msktutil --host afs --service afs --enctypes 0x03
This will create an afs/cell.name@REALM principal, and associate that principal with a computer account called afs. The principal will be marked as DES-only, which is required for AFS.
msktutil --create --use-service-account --service HTTP/hostname.example.com --keytab /etc/apache/krb5.keytab --accountname srv-http --no-pac
This will create an HTTP/hostname.example.com@REALM principal, and associate that principal with a service account called srv-http. Corresponding Kerberos keys will be written to the keytab file /etc/apache/krb5.keytab. The size of Kerberos tickets for that service will stay small because no PAC information will be included.
msktutil --create --service host/hostname --service host/hostname.example.com --set-samba-secret --enctypes 0x4
This will create a computer account in Active Directory that is compatible with Samba. The command creates a new password, write out a new keytab, and ensure that it includes both "host/hostname" and "host/hostname.example.com" as service principals (which is equivalent to what setspn.exe -R would do on windows). The new computer password will be stored in Sambas secrets.tdb database to provide interoperability with Samba. As Samba (version 3) only supports arcfour-encrypted Kerberos tickets the --enctypes option must be used to select only that encryption type.
Ken Dreyer, Mark Pröhl, Olaf Flebbe