On Wed, 2012-11-14 at 00:22 -0600, Anthony Messina wrote:
> On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote:
> > On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote:
> > > 1. Using automatic login with the lightdm display manager, I have it
> > > run the
> > > following script to remove any old Kerberos ccaches, then obtain a new
> > > ticket
> > > on behalf of the user, and set the appropriate permissions and
> > > SELinux
> > > context. Note that in this case, I echo the password to kinit -- If
> > > I
> > > exported a keytab, I would not be able to manually login with a known
> > > password
> > > if there were a problem.
> > Just FYI, this is not strictly true, look at the -P, --password option
> > of ipa-getkeytab
> Thanks. I didn't notice that option since I'd been using this method since
> before I started using IPA.
> Is the password used to genterate a principle still usable after a keytab has
> been exported? I seem to remember from my pre-IPA days of using a plain old
> standalone MIT KDC that I couldn't use the password to authenticate after
> keytab had been exported using kadmin. Again, I never really investigated
> but the password never seemed to work after the keytab was exported.
If you ask kadmin to randomize the password, then you are basically
*changing* the password at the time you export the keytab with a random
one, so your *old* password won't work anymore and you do not know the
new random one.
But if you tell ipa-getkeytab to use a specific secret when generating
the keytab that is what is used to generate the new keys, so whether you
use pre-computed hashes in the keytab or manually regenerate them at
kinit time using a password it makes no difference.
Of course if you then change your password or get a new keytab you will
change again keys so the repvious password/keytab won't work anymore.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list