Why does fetching a keytab influence its version number?

If i have three servers in a load balancer service compound and do a

ipa-getkeytab -k /etc/httpd.keytab -p HTTP/compoundservice.linux.mydomain...@linux.mydomain.at

on each of the servers the kvno will be increased with every fetch command leading to invalidating the keytab on the first two servers if I issue the command on the third?

I would really appreciate some clarification here.

Regards,
Ronald


On 2017-09-14 11:46, Alexander Bokovoy wrote:
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,

today I found out that some entries in a keytab file seemed to have expired:

Request ticket server HTTP/mwc.linux.mydomain...@linux.mydomain.at kvno 4 not found in keytab; keytab is likely out of date

Fetching the keytab again with ipa-getkeytab fixed the problem. But why is this happening? Do keytab entries expire? I have not set any custom password or ticket policies.
You did most likely change the key on the KDC side by running
ipa-getkeytab at some other place. This is what kvno 4 tells you about
-- it is key version number. 4 means there were at least three different
changes since that original key issuance time already.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to