The ktutil command enables a user without kadmin privileges to disable a service. This user can also restore the service. For more information, see the ktutil(1) man page.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
You use this temporary file to re-enable authentication in Step 9.
# /usr/bin/ktutil
ktutil: read_kt keytab
ktutil: list
The current keylist buffer is displayed. Note the slot number for the service that you want to disable.
ktutil: delete_entry slot-number
Where slot-number specifies the slot number of the service principal to be deleted in the list output.
ktutil: write_kt new-keytab
ktutil: quit
# mv new-keytab keytab
# cp original-keytab keytab
In this example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, the administrator copies the saved keytab file to its original location.
denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.save denver # /usr/bin/ktutil ktutil:read_kt /etc/krb5/krb5.keytab ktutil:list slot KVNO Principal ---- ---- --------------------------------------- 1 8 root/[email protected] 2 5 host/[email protected] ktutil:delete_entry 2 ktutil:list slot KVNO Principal ---- ---- -------------------------------------- 1 8 root/[email protected] ktutil:write_kt /etc/krb5/nodenverhost.krb5.keytab ktutil: quit denver # cp /etc/krb5/nodenverhost.krb5.keytab /etc/krb5/krb5.keytab
The host is unavailable until the user copies the saved file back to its original location.
denver # cp /etc/krb5/krb5.keytab.save /etc/krb5/krb5.keytab