On Fri, 2012-06-29 at 08:08 -0700, george he wrote: > Hello, > > > do you mean to run only this on the nfs-server? > > > > ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve....@myrealm.edu > -k /etc/krb5.keytab > > > Rob says to run ipa-getkeytab on each machine... So I guess I should > run the above command on the ipa-server before I run it on the > nfs-server? > Otherwise it seems to me the nfs-server won't know the new keytab > in /tmp/ on the ipa-server.
George, you need to think about a keytab as a password. It is the password for the specific service named in the principal name. *Only* that service (the nfs server in this case) must know the keys. If you leak the keys, you are compromising the security of your deployment. In general extra care needs to be used in managing keys. At no point they should be world readable for example, and they should always be transmitted securely (either enveloped in a gpg file or copied using scp/sftp or similar methods that ensure the communication is encrypted. The best way to ensure keys are properly handled is to retrieve them directly on the target machine, and only there. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users