On Wed, 2012-11-14 at 00:22 -0600, Anthony Messina wrote:
> On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote:
> > On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote:
> > > 1. Using automatic login with the lightdm display manager, I have it
> > > run the 
> > > following script to remove any old Kerberos ccaches, then obtain a new
> > > ticket 
> > > on behalf of the user, and set the appropriate permissions and
> > > SELinux 
> > > context.  Note that in this case, I echo the password to kinit -- If
> > > I 
> > > exported a keytab, I would not be able to manually login with a known
> > > password 
> > > if there were a problem.
> > 
> > Just FYI, this is not strictly true, look at the -P, --password option
> > of ipa-getkeytab
> Thanks.  I didn't notice that option since I'd been using this method since 
> before I started using IPA.
> Is the password used to genterate a principle still usable after a keytab has 
> been exported?  I seem to remember from my pre-IPA days of using a plain old 
> standalone MIT KDC that I couldn't use the password to authenticate after 
> they 
> keytab had been exported using kadmin.  Again, I never really investigated 
> it, 
> but the password never seemed to work after the keytab was exported.

If you ask kadmin to randomize the password, then you are basically
*changing* the password at the time you export the keytab with a random
one, so your *old* password won't work anymore and you do not know the
new random one.

But if you tell ipa-getkeytab to use a specific secret when generating
the keytab that is what is used to generate the new keys, so whether you
use pre-computed hashes in the keytab or manually regenerate them at
kinit time using a password it makes no difference.

Of course if you then change your password or get a new keytab you will
change again keys so the repvious password/keytab won't work anymore.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to