Dartmouth Research Computing & Data (RCD) logo
  • Home 
  • HPC 
  • AI 
  • Services 
  • Status 
  • About Us 
  •   Search this site
  •  
  1.   Storage
  1. Home
  2. Storage
  3. Create a keytab file for automated access to DartFS

Create a keytab file for automated access to DartFS

A keytab file can contain the encrypted password for a user in Dartmouth’s Active Directory (i.e. a NetID).  Thus a keytab can be used for automated processes which need access to services like DartFS without requiring that the password be stored somewhere in plain text.  

Important: It is almost never a good idea to create a keytab file for your real NetID because if anyone else read it then they would have access to everything that your NetID does: email, canvas, DartFS storage, etc.  By obtaining a “service account”, and creating a keytab for that, you can restrict the keytab’s access to only what it really needs.  Request a service account at https://services.dartmouth.edu/TDClient/1806/Portal/Requests/ServiceDet?ID=30581

Use the ktutil tool in Linux to create a keytab file (we have not figured out how to make this work on Mac/Windows).  You will need to know the following four things to proceed. 

  • the netid for your service account
  • the password for the service account
  • the encryption type you want to use (this is always aes256-cts-hmac-sha1-96 for DartFS)
  • “key version number” (kvno) for your service account (basically a count of how many times the password has been changed.

The Research Computing Linux systems named Polaris, Andes and Discovery have everything you need.  You likely already have an account on them and can login to any one of them with your personal NetID and password (not the service account) to get started.  If not, you can request access at https://rcweb.dartmouth.edu/accounts/

  • ssh to polaris
  • Use the kinit command to create a ticket cache called “temp_ticket_cache” for your service account.  You need to do this to look up the kvno number so you can pass that to ktutil in a later step.  Replace serviceaccount_netid in the examples with your actual service account.  In this example, it returns kvno=3.
$ kinit -c temp\_ticket\_cache _serviceaccount\_netid_ 
$ kvno -c temp\_ticket\_cache krbtgt/KIEWIT.DARTMOUTH.EDU@KIEWIT.DARTMOUTH.EDU
krbtgt/KIEWIT.DARTMOUTH.EDU@KIEWIT.DARTMOUTH.EDU: kvno = 3
$ rm temp\_ticket\_cache
  • Now run ktutil which is an interactive program.  Its prompt is “ktutil: “.   You are going to use its “add_entry” and “write_kt” commands before quitting.  Note the “-k 3” argument to add_entry.  3 is the kvno number you found in the previous step.  The “add_entry” command is all one line - it may be shown split below.
$ ktutil
`ktutil: add_entry -password -p _serviceaccount_netid_@KIEWIT.DARTMOUTH.EDU -e aes256-cts-hmac-sha1-96 _-k 3_`
  (enter password at the prompt)
ktutil: write\_kt ./mykey 
ktutil: quit
  • Now you have a file “mykey” (the name is unimportant) containing an encrypted  password.  Copy the file to where it is needed and try it out - but be sure to carefully protect it because it *is* the password to your service account!

Note: ktutil does not check that the password is correct.  If you typed it wrong (or later change the password) this keytab file won’t work.  As long as you know the password, you can always create a new keytab file.  An easy way to validate the keytab file is to create a ticket cache using it.  You will get an error if the pasword is wrong.

$ kinit -c temp\_ticket\_cache -k -t mykey _serviceaccount\_netid_@KIEWIT.DARTMOUTH.EDU
  (no output here is good)
$ rm temp\_ticket\_cache
 Check on basic permissions on DartFS folders
DartFS access from Tuck-domain Windows systems 
Copyright © 2025 Dartmouth Research Computing & Data | Powered by Hinode.
Dartmouth Research Computing & Data (RCD)
Code copied to clipboard