Red Hat Linux, CentOS, Oracle Linux, HP-UX, AIX, SUSE Linux, Ubuntu, openSUSE
Centrify Infrastructure Services
In a Kerberized environment, there are times when a service account needs to obtain a kerberos credential and infinitely renew that credential for a long running process. Another scenario would be to configure a clustered environment where a virture host account needs to provide services using an additional ServicePrincipalName (SPN).
One way to achieve goals like, but not limited to, the above scenarios, Centrify command 'adkeytab' can be used to adopt a service account and build a keytab file.
It is often asked about 'what permission is required to run adkeytab command and adopt a service account?'
There are two options to adopt a service account and the permission required depends on the option chosen.
Option 1: Let adkeytab command reset this service account's password while adopting the account. The knowledge of current password of the service account is not required.
With this option, the account adopting the service account needs to have 'reset password' and 'change password' permission of the service account. Take the following command as an example:
The account 'svcadmin' is performing the adoption so it needs to have permission to 'reset password' and 'change password' for the adopted account 'svcacct'. After the adoption, the password of this service account, svcacct, will be reset to a randomly generated password.
Option 2: Provide this service account's current password with adkeytab command while adopting the account. Knowledge of current password of this service account is required.
With this option, the account adopting the service account does not need any extra permission; the default read permission is enough. With this option, the '--local' and '-w' flags are required to adopt this account. Here's an example: