Creating and Maintaining Keys and Keytab Files
Two commands allow you to create key entries:
keytab create
Creates keytab files, the keytab file entries, and the dced keytab object.
keytab add
Adds key entries to existing keytab files.
When you run both commands, you supply the name of the keytab file to either create or modify.
The following table lists the other options you can supply to the keytab create and add commands.
The keytab create and keytab add Options
| Option | Meaning |
| -local | Accesses the keytab file without using dced. |
| -entry | Creates only the dced configuration information, not the actual key table. |
| -noprivacy | Specifies that the protection level used should be the default protection level for your site instead of rpc_c_protect_level_pkt_privacy. |
| -member name | The name of the principal (server or machine) whose key you are creating or changing. You can supply multiple names in a list. If you supply a list, all principals named in the list are assigned the same key. |
| -key key | The plain text key to the account. This option cannot be used with the -random option. |
| -random | Generates a random key. If you use this option, you must also use the -registry option to add the randomly generated key to the server's or machine's account in the registry. This option cannot be used with the -key option. |
| -registry | Updates the principal's key in the registry to match the key that you enter (or generate automatically) for the key in the keytab file. Use it to ensure that the principal's key in the registry and
the keytab file are synchronized when you change a principal's key in the keytab file. This option is required if you use the -random option. Using this option, may require you to run the dcecp login command to ensure that your network identity is appropriate for modifying the registry database. |
| -version number | Specifies a version number for the key. It is required if you do not use the -registry option. |
| -storage local_file_name | The pathname of the local file to be created. This option is used only for the keytab create command. When you add entries to an existing keytab file, you identify the file by its dced object name. |
| -data keys | The server principal name and keys in the format principal_name key_type { version} {key_value} |
Adding Entries to a Keytab File
Removing Entries from Keytab Files