Add Kerberos Keytab Entry (ADDKRBKTE)

The Add Kerberos Keytab Entry (ADDKRBKTE) command is used to add an entry to the Kerberos keytab file for a specified principal name. A principal name consists of the user name or service name and the name of the realm in which that user or service belongs. If keytab entries exist for the specified principal name, the default is to add one to the largest version number of the existing entries.

Restrictions:

The Network Authentication Service Commands and APIs support job environments for most EBCDIC CCSIDs. CCSID 290 and 5026 are not supported because of the variance of lower-case letters a to z.

Parameters

Keyword Description Choices Notes
PRINCIPAL Principal Element list Required, Positional 1
Element 1: Name Character value
Element 2: Realm Character value, *DFT
PASSWORD Password Character value Required, Positional 2
KEYTABFILE Keytab file Path name, *DFT Optional
VERSION Version 1-255, *GEN Optional

Principal (PRINCIPAL)

Specifies the principal name of a user or service principal on a host name in a Kerberos network. The principal and key pairs in the keytab file allow services running on the host to be authenticated by a Key Distribution Center (KDC). All the principals are added to the Kerberos server which maintains a database of all users and services within a Kerberos realm.

This is a required parameter.

Element 1: Name

Specifies the principal name or service principal on a specified host name.

character-value
Specify the user name of the Kerberos principal.

The Kerberos principal has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).

Special characters allowed:

/ - delimit name components.

Element 2: Realm

Specifies the realm in which the Kerberos user is registered and in which initial authentication took place.

*DFT
The default realm for the local system will be used. Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. If the default realm has not been set, it is obtained from the default_realm entry in the [libdefaults] section of the Kerberos configuration file.
character-value
Specify the name of the Kerberos realm where the user specified for the first element of this parameter is registered.

The name has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).

Special characters allowed:

@ - start realm.

Password (PASSWORD)

Specifies the password that allows the principal to authenticate in the Key Distribution Center (KDC).

This is a required parameter.

character-value
Specify the password value. The password can be up to 255 characters long.

Keytab file (KEYTABFILE)

Specifies the Kerberos keytab file where the group of principals and its keys are stored.

*DFT
The default keytab file for the current user will be used. If the KRB5_KTNAME environment variable is set, this is the name of the default keytab file. Otherwise, the keytab file name is obtained from the default_keytab_name entry in the [libdefaults] section of the Kerberos configuration file. If this entry is not defined, the default keytab file name is /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab.
path-name
Specify the path name of the stream file which contains the Kerberos keytab file to use.

Version (VERSION)

Specifies the key version number of the keytab entry.

*GEN
Generate the version number based on existing keytab entries. The first time a keytab entry is created for the specified principal, the default version number will be 1. If keytab entries exists for the specified principal, the default version number will be one greater than the largest version number of the existing entries.
1-255
Specify the version number for the keytab entry for the specified principal.

Examples

Example 1: Adding a Service Principal Keytab Entry

ADDKRBKTE   PRINCIPAL('krbsvr400/camolts.myco.com'  MYCO.COM)
            PASSWORD(uneed2chg)  VERSION(*GEN)  KEYTABFILE(*DFT)

This command adds a service principal entry into the default Key Table file.

Example 2: Adding a Principal Name Keytab Entry

ADDKRBKTE   PRINCIPAL('julius'  GUADA.LAJARA.COM)
            PASSWORD(uneed2chg)  VERSION(4)  KEYTABFILE(*DFT)

This command adds a principal name entry into the default Key Table file.

Error messages

*ESCAPE Messages

CPFC601
No default keytab file found.
CPFC602
Keytab file &3 not found.
CPFC603
Keytab entry &2 not found.
CPFC605
Entry &1 could not be added to keytab file &2.
CPFC607
Key version &1 not found for &2.
CPFC61B
The principal name &3 can not be parsed.