Keytab is a file that contains user account and an encrypted hash of that user account’s password.

When you want to integrate Unix systems to AD, you can

1. type the password (in clear text) into a configuration file somewhere and maybe encrypt that
2. store an encrypted hash of the password in a keytab file

Option 2, is more secure.

How to create a keypass (using ktpass.exe)

The ktpass command must be run on either a member server or a domain controller of the Active Directory domain. Must be run as admin. Note: if you re-create a keytab using the same SPN, you will need to (1) first ensure the application server config is pointed to the new keytab file name (if you’ve changed it) and (2) you will also need to restart the application service engine.

---

references: Active Directory: Using Kerberos Keytabs to integrate non-Windows systems - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)