On Wednesday, November 14, 2012 08:30:48 AM Simo Sorce wrote:
> > > Just FYI, this is not strictly true, look at the -P, --password option
> > > of ipa-getkeytab
> >
> > 
> >
> > Thanks.  I didn't notice that option since I'd been using this method
> > since  before I started using IPA.
> >
> > 
> >
> > Is the password used to genterate a principle still usable after a keytab
> > has  been exported?  I seem to remember from my pre-IPA days of using a
> > plain old standalone MIT KDC that I couldn't use the password to
> > authenticate after they keytab had been exported using kadmin.  Again, I
> > never really investigated it, but the password never seemed to work after
> > the keytab was exported.
> If you ask kadmin to randomize the password, then you are basically
> changing the password at the time you export the keytab with a random
> one, so your old password won't work anymore and you do not know the
> new random one.
> 
> But if you tell ipa-getkeytab to use a specific secret when generating
> the keytab that is what is used to generate the new keys, so whether you
> use pre-computed hashes in the keytab or manually regenerate them at
> kinit time using a password it makes no difference.
> 
> Of course if you then change your password or get a new keytab you will
> change again keys so the repvious password/keytab won't work anymore.
> 
> Simo.

Thanks Simo and Petr for clarifying this.  This is something that I'll 
definitely take a look at now having this information.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to