On Wednesday, November 14, 2012 08:30:48 AM Simo Sorce wrote: > > > Just FYI, this is not strictly true, look at the -P, --password option > > > of ipa-getkeytab > > > > > > > > Thanks. I didn't notice that option since I'd been using this method > > since before I started using IPA. > > > > > > > > Is the password used to genterate a principle still usable after a keytab > > has been exported? I seem to remember from my pre-IPA days of using a > > plain old standalone MIT KDC that I couldn't use the password to > > authenticate after they keytab had been exported using kadmin. Again, I > > never really investigated it, but the password never seemed to work after > > the keytab was exported. > If you ask kadmin to randomize the password, then you are basically > changing the password at the time you export the keytab with a random > one, so your old password won't work anymore and you do not know the > new random one. > > But if you tell ipa-getkeytab to use a specific secret when generating > the keytab that is what is used to generate the new keys, so whether you > use pre-computed hashes in the keytab or manually regenerate them at > kinit time using a password it makes no difference. > > Of course if you then change your password or get a new keytab you will > change again keys so the repvious password/keytab won't work anymore. > > Simo.
Thanks Simo and Petr for clarifying this. This is something that I'll definitely take a look at now having this information. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Description: This is a digitally signed message part.
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users