What is the difference between Centrify's command adkeytab and Kerberos keytab maintenane utility ktutil?.
There are significant differences between ktutil and adkeytab with adkeytab being much more powerful in many instances.
Adkeytab provides a mechanism to manage and edit keytab files while synchronizing the changes with AD. Adkeytab not only synchronizes changes with AD when required but also supports very complex AD environments while being MUCH easier to use than the traditionals Kerberos tools. Ease of use was a big driver for the development of adkeytab to begin with given how obscure using the Kerberos tools can be to use.
Adkeytab can create new keytabs and create the account in AD, it can add new SPNs (service principal names) to existing keytabs while writing the SPNs to the correct account in AD, it can adopt a keytab based on an existing account in AD, among many other features. Other features provided by adkeytab that are very powerful are, password resets support (useful when the password of service accounts or principals needs to be reset) and multi domain support (useful in complex AD environments).
We typically recommend customers to use adkeytab to manage keytab files (create, adopt, manage SPNs, reset passwords, etc.) and use ktutil to merge keytab files where required (load balance scenarios, clusters, etc.).
For more details, please refer to page 334 of the below link on adkeytab:
For ktutil, the below link was provided as a courtesy