Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9939: What Active Directory permission is required to adopt a service account using adkeytab command?

Centrify DirectControl ,  

28 February,18 at 08:28 PM

Question:

In a Kerberized environment, there are times when a service account needs to obtain a kerberos credential and infinitely renew that credential for a long running process.  Another scenario would be to configure a clustered environment where a virture host account needs to provide services using an additional ServicePrincipalName (SPN).

One way to achieve goals like, but not limited to, the above scenarios, Centrify command 'adkeytab' can be used to adopt a service account and build a keytab file. 

It is often asked about 'what permission is required to run adkeytab command and adopt a service account?'

Answer:

There are two options to adopt a service account and the permission required depends on the option chosen.

Option 1:
Let adkeytab command reset this service account's password while adopting the account.  The knowledge of current password of the service account is not required.

With this option, the account adopting the service account needs to have 'reset password' and 'change password' permission of the service account.  Take the following command as an example:


adkeytab --adopt -u svcadmin -K /etc/svcacct.keytab svcacct

The account 'svcadmin' is performing the adoption so it needs to have permission to 'reset password' and 'change password' for the adopted account 'svcacct'.  After the adoption, the password of this service account, svcacct, will be reset to a randomly generated password.


Option 2:
Provide this service account's current password with adkeytab command while adopting the account.  Knowledge of current password of this service account is required.

With this option, the account adopting the service account does not need any extra permission; the default read permission is enough.  With this option, the '--local' and '-w' flags are required to adopt this account.  Here's an example:



adkeytab --adopt -u svcadmin --local -w <password> -K /etc/svcacct.keytab svcacct

where <password> should be replaced by account svcacct's current password.  After the adoption, the password of this service account will not be changed/rest.

please read 'man adkeytab' for a completed option list and description.




 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.