This section describes how to adopt a service account and the permission required depends on the option chosen.
In a Kerberized environment, there are times when a service account needs to obtain a Kerberos credential and infinitely renew that credential for a long running process.
Another scenario configuring a clustered environment where a virtual host account needs to provide services using an additional ServicePrincipalName (SPN).
One way to achieve goals such as, but not limited to, the above scenarios, is to use the Centrify command adkeytab to adopt a service account and build a keytab file.
Option 1: Reset the service account password
Let the adkeytab command reset this service account's password while adopting the account. The current password of the service account is not required.
With this option, the account adopting the service account needs to have reset password and change password permission of the service account. For example:
adkeytab --adopt -u svcadmin -K /etc/svcacct.keytab svcacct
From the example, the account svcadmin is performing the adoption so it must have permission to reset password and change password for the adopted account svcacct. After the adoption, the password of this service account, svcacct, is reset to a randomly generated password.
Option 2: Provide the existing service account password
Provide this service account's current password with adkeytab command while adopting the account. The current password for this service account is required.
With this option, the account adopting the service account does not need any extra permission; the default read permission is enough. With this option, the --local and -w flags are required to adopt this account. For example:
adkeytab --adopt -u svcadmin --local -w <password> -K /etc/ svcacct.keytab svcacct
where <password> is replaced by account svcacct's current password. After the adoption, the password of this service account is not changed or reset.
See the adkeytab man page for a complete list of options and description.