On Wednesday, November 14, 2012 09:42:03 AM Petr Spacek wrote:
> >> Just FYI, this is not strictly true, look at the -P, --password option
> >> of ipa-getkeytab
> > 
> > Thanks.  I didn't notice that option since I'd been using this method
> > since
> > before I started using IPA.
> > 
> > Is the password used to genterate a principle still usable after a keytab
> > has been exported?  I seem to remember from my pre-IPA days of using a
> > plain old standalone MIT KDC that I couldn't use the password to
> > authenticate after they keytab had been exported using kadmin.  Again, I
> > never really investigated it, but the password never seemed to work after
> > the keytab was exported.
> Kadmin from original MIT Kerberos has to flavors: kadmin and kadmin.local.
> 
> Only "kadmin.local" (which works locally on KDC) can export keytab without 
> re-generating key (i.e. password).
> 
> Network version - "kadmin" - have to re-generate key before each export.

Petr, you are right.  I never knew that distinction between kadmin and 
kadmin.local.  It was kadmin that I would use on remote machines to export the 
keytab, rendering the original password useless.

Thanks for the info.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to