On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote: > On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote: > > 1. Using automatic login with the lightdm display manager, I have it > > run the > > following script to remove any old Kerberos ccaches, then obtain a new > > ticket > > on behalf of the user, and set the appropriate permissions and > > SELinux > > context. Note that in this case, I echo the password to kinit -- If > > I > > exported a keytab, I would not be able to manually login with a known > > password > > if there were a problem. > > Just FYI, this is not strictly true, look at the -P, --password option > of ipa-getkeytab
Thanks. I didn't notice that option since I'd been using this method since before I started using IPA. Is the password used to genterate a principle still usable after a keytab has been exported? I seem to remember from my pre-IPA days of using a plain old standalone MIT KDC that I couldn't use the password to authenticate after they keytab had been exported using kadmin. Again, I never really investigated it, but the password never seemed to work after the keytab was exported. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Description: This is a digitally signed message part.
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users