Create Machine Keytab on Linux for Active Directory authentication

The blog posts outline the troubleshooting I had gone through to get a machine keytab file working with Active Directory 2012 and CentOS 6.5

STEP 1. My first attempt was to create the machine keytab file using samba’s net utility.

[root@mysql04p ~]# net ads keytab create -U tatroc

Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter tatroc's password:

In my /etc/samba/smb.conf I had the following line.

kerberos method = secrets and keytab

STEP 2. Verify that the machine principle names were created in the /etc/krb5.keytab file

[root@mysql04p ~]# klist -Kke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  36 host/ (des-cbc-crc)  (0x5e97f7e98083a85e)
  36 host/ (des-cbc-md5)  (0x5e97f7e98083a85e)
  36 host/ (aes128-cts-hmac-sha1-96)  (0xd96b9e5d0d6bc1f062b7faba698e1b4c)
  36 host/ (aes256-cts-hmac-sha1-96)  (0x9ebfb182419bbfda5d650a6c8a9769aaac4b7382c8fb58dcbc162978b4956a44)
  36 host/ (arcfour-hmac)  (0x31ad3e73de7991b275c269743fb0215a)
  36 host/mysql04p@LAB.NET (des-cbc-crc)  (0x5e97f7e98083a85e)
  36 host/mysql04p@LAB.NET (des-cbc-md5)  (0x5e97f7e98083a85e)
  36 host/mysql04p@LAB.NET (aes128-cts-hmac-sha1-96)  (0xd96b9e5d0d6bc1f062b7faba698e1b4c)
  36 host/mysql04p@LAB.NET (aes256-cts-hmac-sha1-96)  (0x9ebfb182419bbfda5d650a6c8a9769aaac4b7382c8fb58dcbc162978b4956a44)
  36 host/mysql04p@LAB.NET (arcfour-hmac)  (0x31ad3e73de7991b275c269743fb0215a)
  36 MYSQL04P$@LAB.NET (des-cbc-crc)  (0x5e97f7e98083a85e)
  36 MYSQL04P$@LAB.NET (des-cbc-md5)  (0x5e97f7e98083a85e)
  36 MYSQL04P$@LAB.NET (aes128-cts-hmac-sha1-96)  (0xd96b9e5d0d6bc1f062b7faba698e1b4c)
  36 MYSQL04P$@LAB.NET (aes256-cts-hmac-sha1-96)  (0x9ebfb182419bbfda5d650a6c8a9769aaac4b7382c8fb58dcbc162978b4956a44)
  36 MYSQL04P$@LAB.NET (arcfour-hmac)  (0x31ad3e73de7991b275c269743fb0215a)

STEP 3. Try to initialize the keytab file. I fail to get a Kerberos ticket from Active Directory.

Received the message:
Client ‘host/’ not found in Kerberos database while getting initial credentials

[root@mysql04p ~]# kinit -k
kinit: Client 'host/' not found in Kerberos database while getting initial credentials
[root@mysql04p ~]#

STEP 4. After some googling, I discovered that I could create the machine keytab through another avenue. By logging into the domain controller and running the ktpass.exe program as administrator.

C:\Windows\system32>ktpass /princ host/ /mapuser LAB\mysql04p$ +rndPass /crypto all /ptype KRB5_
NT_PRINCIPAL /out krb5.keytab

Targeting domain controller:
Using legacy password setting method
Successfully mapped host/ to mysql04p$.
WARNING: Account mysql04p$ is not a user account (uacflags=0x11001).
WARNING: Resetting mysql04p$'s password may cause authentication problems if mysql04p$ is being used as a server.

Reset mysql04p$'s password [y/n]?  y
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 56 host/ ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x1 (DES-CBC-CRC) keylength 8 (0xf1730
keysize 56 host/ ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x3 (DES-CBC-MD5) keylength 8 (0xf1730
keysize 64 host/ ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x17 (RC4-HMAC) keylength 16 (0x54eaee
keysize 80 host/ ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x12 (AES256-SHA1) keylength 32 (0x553
keysize 64 host/ ptype 1 (KRB5_NT_PRINCIPAL) vno 37 etype 0x11 (AES128-SHA1) keylength 16 (0xee5


STEP 5. Copy the keytab file to the Linux computer mysql04p:/etc/krb5.keytab
The initialize the keytab file.

[root@mysql04p ~]# kinit -k

STEP 6. run klist to verify that the machine has received a ticket.

[root@mysql04p ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/

Valid starting     Expires            Service principal
04/22/15 17:56:13  04/23/15 03:56:13  krbtgt/LAB.NET@LAB.NET
        renew until 04/29/15 17:56:13
[root@mysql04p ~]#

STEP 7. You can now use the keytab file to authenticate to resources in Active Directory.

kinit -k; ls -la

I was able to successfully create the machine keytab by using the ktpass.exe on the windows 2012 domain controller. Then copying that file to the Linux system.


Extend Linux Logical Volume

This support document describes the steps needed to extend the a logical volume in Linux

STEP 1. View the current file system to device mappings

 a.  df -h

STEP 2. Use cfdisk to create another partition with the free space on /dev/sdb

 a.  cfdisk /dev/sdb
 b. In the cfdisk menu select the available free space
 c. Select create PRIMARY
 d. Select the SIZE of the new primary partition
 e. Select TYPE > Select type 8E (Linux LVM)
 f. Select WRITE 
 g.  fdisk -l (run fdisk -l to verify the new partition was created)

STEP 3. The next step is to use pvcreate which initializes the Physical Volume for later use by the Logical Volume Manager (LVM)

reboot server previous to using pvcreate, or it won’t see the new partition

pvcreate /dev/sdb2

STEP 4. Run volume group display to see the name of the volume groups on the server:


STEP 5. Add the new partition you created to the volume group which you are extending

vgextend vg_server01 /dev/sdb2

STEP 6. Extend the volume on the volume group

lvextend /dev/mapper/vg_server01-lv_home /dev/sdb2

STEP 7. Resize the file system:

 a.  resize2fs /dev/mapper/vg_server01-lv_home

Create custom SNMP OID in Linux

This guide was written using CentOS 6.5. I describe how to create a custom script to obtain the 1 minute load average on a LInux system and expose that script in SNMP to be polled by an SNMP poller like Nagios or Solarwinds.

STEP 1. create the 1 minute load average script.

vim /usr/sbin/
awk '{print $1}' /proc/loadavg

STEP 2. Update the snmpd.conf file to extend SNMP.

vim /etc/snmp/snmpd.conf
extend 1minloadavg /usr/sbin/

STEP 3. Restart SNMPD

service snmpd restart


snmpwalk -v2c -c public localhost NET-SNMP-EXTEND-MIB::nsExtendObjects | grep 1minloadavg

NET-SNMP-EXTEND-MIB::nsExtendCommand."1minloadavg" = STRING: /usr/sbin/
NET-SNMP-EXTEND-MIB::nsExtendArgs."1minloadavg" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."1minloadavg" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."1minloadavg" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."1minloadavg" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."1minloadavg" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."1minloadavg" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."1minloadavg" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."1minloadavg" = STRING: 0.08
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."1minloadavg" = STRING: 0.08
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."1minloadavg" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."1minloadavg" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."1minloadavg".1 = STRING: 0.08

STEP 5. Grab the named OID you wish to monitor and use snmptranslate to translate the named OID to a numerical value.

[root@mysql01p ~] snmptranslate -On NET-SNMP-EXTEND-MIB::nsExtendOutputFull.\"1minloadavg\"

The OID can then be entered into your favorite SNMP poller. In this case I use Solarwinds Universal Device Poller. However, there are many open source solutions like Nagios which also support this.