Why does fetching a keytab influence its version number?
If i have three servers in a load balancer service compound and do a
ipa-getkeytab -k /etc/httpd.keytab -p
on each of the servers the kvno will be increased with every fetch
command leading to invalidating the keytab on the first two servers if I
issue the command on the third?
I would really appreciate some clarification here.
On 2017-09-14 11:46, Alexander Bokovoy wrote:
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
today I found out that some entries in a keytab file seemed to have
Request ticket server HTTP/mwc.linux.mydomain...@linux.mydomain.at
kvno 4 not found in keytab; keytab is likely out of date
Fetching the keytab again with ipa-getkeytab fixed the problem. But
why is this happening? Do keytab entries expire? I have not set any
custom password or ticket policies.
You did most likely change the key on the KDC side by running
ipa-getkeytab at some other place. This is what kvno 4 tells you about
-- it is key version number. 4 means there were at least three different
changes since that original key issuance time already.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org