# Kerberos and keytabs that expire

## M.A.

I am kerberising access to some resources and services, such as SSH, HTTP, IMAP... The Kerberos infrastructure is an Active Directory.

After some googling and tries, I eventually got his working and (I thought) understood how this works.

However, I'm struggling with an annoying problem that is keeping me for deploying this on actual servers: keytabs expire, it seems, after a week or so.

I thought keytabs should last forever (well, if the account password hasn't changed, of course) but in my case they just last one week. I have googled a lot and the only reference to this I have found so far is this: http://serverfault.com/questions/285124/keytab-entries-seem-to-expire-after-7-days.

If I regenerate the keytab, then it works again. For SSH access I create the keytabs with the following command:

```

# net ads keytab create -U someuser

```

I have also generated other keytabs for apache in a Windows domain controller using this syntax:

```

C:\>ktpass /out file.keytab /princ HTTP/hostname.domain.com@REALM.DC /mapOp set /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /pass password /mapuser user

```

Both methods work, but both methos make keytabs that expire. Any clue about what can be happening here? Is it expected for keytabs to expire?

Many thanks!

----------

## rneville

hi 

We are having exactly the same problem, did you ever resolve this/

Cheers

Richard

----------

## M.A.

Actually I kinda figured it out. Keytabs created with the net command are linked to the AD machine account, whose password changes often. For these cases I set up a cron task that recreates the keytab daily:

```

net ads keytab create -U user%password

```

On the other hand, keytabs created linked to a user account will be valid until this user account password expires, that's why user accounts created for kerberos SPN purposes have usually checked "password never expires".

Anyway, just for SSH the HOST SPN stored in the keytab generated for the machine using the net command is enough, combined with the cron task there is no more maintenance involved, and no need to create any user accounts.

Of course, you could always create a user account with no password expiration policy and associate the HOST/machine SPN to this user, so you could create the keytab using ktpass and it would never expire. I prefer the "net ads" way, it allows me to automate server deployment.

----------

