Kerberos keytab works on different hosts

Question

I have encountered a problem. A keytab is generated for test01/host01@xxxx.com. I thought it only work on host01. But it works on other hosts. The host01 doesn't make sense. How can I use the keytab on only host01. Thanks a lot!

Answer 1

Keytabs are not host specific. They are equivalent of passwords.

Keytab contains SPN and corresponding password entries. SPN is nothing but the name of the Application Service - E.g. HTTP/HOSTNAME:PORT

Microsoft recommends one keytab per application.
In such case, if there are two different applications running on two different hosts, the same keytab won't work on both hosts. (Note that - a keytab can have multiple SPN entries, then the same keytab may work for two applications).

If you are using a load balanced environment where face url and actual application url is different, then keytab can be generated using face url as SPN. The Same keytab can be shared(copied) across all the internal nodes.

Answer 2

There isn't nearly enough information here to provide you a meaningful answer.

Keytabs are designed to be portable key storage formats so that any service can request or accept tickets based on the keys within the file. All Kerberos needs to succeed is having the key the KDC knows and the key in the file to match. Once they match all the crypto works and out pops a ticket.

So without knowing exactly what kind of environment you're in or the code you're running to try and limit per machine the best that can be said is: this is by design.