On Sat, Apr 07, 2007 at 11:00:40AM -0700, Adam Megacz wrote: > One problem: all the principals in that keytab are named > "domtool/[EMAIL PROTECTED]", not domtool/[EMAIL PROTECTED] > as these commands expect.
Yes, this wasn't changed "again", I clearly said that I changed it at the time of change. I have also renamed the files in /etc/keytabs/ for the purpose of being able to know the name of the principal in the file, by looking a the file name. ( So keytab file domtool.deleuze surely holds principal domtool/deleuze in it.) I have also edited some scripts to use .../deleuze instead of /deleuze.hcoop.net , so I thought you surely noticed the change, AC. In any case, you can always klist -k keytab_file , to see the names of principals stored in there. > using k5start -U instead of kinit.. > This eliminates any possibility of this sort of mix-up -- the > principal is detected automatically from the keytab, not taken from > the command line. Yes, this is excellent. Unlike kinit, k5start -U kinits as the first principal found within the keytab file. We already use this in mysql/postgres/apache scripts which themselves don't even know which principal they'll kinit as.. they just invoke k5start -U on the keytab file... So yes, Adamc, for long term smooth operation, you could just replace all kinits with k5start -U -f keytab_file , and not worry about any explicit principal names. (As Adamm said, we already have this policy of storing only a single principal in one file, so there's no room for confusion. The reason why you see more (seemingly equal) entries in a keytab when you invoke klist on it, is just that each principal has more keys, of different types..). -doc _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
