On Mon, 2012-09-17 at 11:04 +0930, William Brown wrote:
> In freeipa, we export a keytab for a service. Say we upgrade our freeipa
> install, and the newer version of MIT kerberos supports a stronger
> encryption type on the KDC. Does freeipa automatically refresh the
> keytabs of hosts / services with a new keytab that also contains these
> stronger encryption types? Does this matter if it does / doesn't happen?
No FreeIPA can't, and it does matter, because FreeIPA doesn't know if
the service actually does know how to use new encryption types, but most
importantly FreeIPa does not have a mechanism to 'push' this change to
Keytabs contains shared (between KDC and service) secrets, so they have
to be kept consistent and in sync between the KDC and the service, if
the KDC unilaterally changes a keytab the service can't see the changes
reflected in its keytab, and when a ticket will come in with the new
encryption type it will have no key to decrypt it.
Also even if we could somehow push an updated keytab, then if the
service doesn't support the new encryption types the outcome would be
that authentication would be broken, as the KDC would use the strongest
enctype to encrypt tickets sent to clients and the service wouldn't be
able to decrypt them even if it has a key.
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list