In case you’ll need another keytab for kerberos binding (e.g. mod_auth_kerb, creating and exporting keytabs can be done like this
Random Password
We do not need it later, it’s just necessary for importing the record.
python
import base64
base64.b64encode('myRandomPassword'.encode('utf-16-le'))
'MgAzAFcAawBhADUAdgBtAHoAagA='
Exit with CTRL+D
LDIF for principal (if new one)
$ cat > /tmp/PRINCIPAL.ldif << EOF
dn: CN=HOSTNAME,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: Service Account for #######
userAccountControl: 66048
accountExpires: 9223372036854775807
sAMAccountName: HOSTNAME
servicePrincipalName: SERVICETYPE/HOSTNAME.lan.example.com
clearTextPassword:: HASH-FROM-ABOVE
EOF
Import principal
$ ldbadd -H ldap://DOMAINCONTROLLER -v -k yes /tmp/PRINCIPAL.ldif
Export keytab
$ samba-tool domain exportkeytab /tmp/PRINCIPAL.keytab --principal=PRINCIPAL
Check
$ kinit -V -k -t /tmp/PRINCIPAL.keytab
Using default cache: /tmp/krb5cc_0
Using principal: PRINCIPAL@EXAMPLE.COM
Using keytab: /tmp/PRINCIPAL.keytab
Authenticated to Kerberos v5