Why does fetching a keytab influence its version number?
If i have three servers in a load balancer service compound and do a
ipa-getkeytab -k /etc/httpd.keytab -p
HTTP/[email protected]
on each of the servers the kvno will be increased with every fetch
command leading to invalidating the keytab on the first two servers if I
issue the command on the third?
I would really appreciate some clarification here.
Regards,
Ronald
On 2017-09-14 11:46, Alexander Bokovoy wrote:
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,
today I found out that some entries in a keytab file seemed to have
expired:
Request ticket server HTTP/[email protected]
kvno 4 not found in keytab; keytab is likely out of date
Fetching the keytab again with ipa-getkeytab fixed the problem. But
why is this happening? Do keytab entries expire? I have not set any
custom password or ticket policies.
You did most likely change the key on the KDC side by running
ipa-getkeytab at some other place. This is what kvno 4 tells you about
-- it is key version number. 4 means there were at least three different
changes since that original key issuance time already.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
