On Fri, 2012-06-29 at 08:08 -0700, george he wrote:
> Hello,
> do you mean to run only this on the nfs-server?
> ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve....@myrealm.edu
> -k /etc/krb5.keytab
> Rob says to run ipa-getkeytab on each machine... So I guess I should
> run the above command on the ipa-server before I run it on the
> nfs-server?
> Otherwise it seems to me the nfs-server won't know the new keytab
> in /tmp/ on the ipa-server.

George, you need to think about a keytab as a password.
It is the password for the specific service named in the principal name.
*Only* that service (the nfs server in this case) must know the keys.
If you leak the keys, you are compromising the security of your

In general extra care needs to be used in managing keys.
At no point they should be world readable for example, and they should
always be transmitted securely (either enveloped in a gpg file or copied
using scp/sftp or similar methods that ensure the communication is
The best way to ensure keys are properly handled is to retrieve them
directly on the target machine, and only there.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to