On Wednesday, November 14, 2012 09:42:03 AM Petr Spacek wrote: > >> Just FYI, this is not strictly true, look at the -P, --password option > >> of ipa-getkeytab > > > > Thanks. I didn't notice that option since I'd been using this method > > since > > before I started using IPA. > > > > Is the password used to genterate a principle still usable after a keytab > > has been exported? I seem to remember from my pre-IPA days of using a > > plain old standalone MIT KDC that I couldn't use the password to > > authenticate after they keytab had been exported using kadmin. Again, I > > never really investigated it, but the password never seemed to work after > > the keytab was exported. > Kadmin from original MIT Kerberos has to flavors: kadmin and kadmin.local. > > Only "kadmin.local" (which works locally on KDC) can export keytab without > re-generating key (i.e. password). > > Network version - "kadmin" - have to re-generate key before each export.
Petr, you are right. I never knew that distinction between kadmin and kadmin.local. It was kadmin that I would use on remote machines to export the keytab, rendering the original password useless. Thanks for the info. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Description: This is a digitally signed message part.
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users