Under what circumstances would my host have a shared secret with the KDC? Note: I moved the keytab file to a directory not in my my path and I could still kinit the Win2k KDC. I'm still trying to figure out why MS said I need the keytab file on the unix host. Based on Sean's response I'm inclined to believe the only reason is that my host would automatically authenticate with the KDC (if necessary) when someone logs into it.
If that's true, logically it would make sense that the principal password is stored in the keytab file. The contents of this file should then be the same as the result of the encrypt/hash algorithm kinit uses. True? If all that's true then it would stand to reason that the file isn't necessary unless someone logs into my unix host. Let me further qualify that by adding the exemption of kerberized software that is capable of using a keytab file to automate authentication. Am I right? ""David Lawler Christiansen (NT)"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]. ntdev.microsoft.com... > > > > From: Nicolas Williams [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, January 29, 2002 6:40 AM > > [...] > > > In an ActiveDirectory world every host needs a keytab. > > AD does not mandate the use of a keytab. However, you need a keytab if > your host is going to have a shared secret with the KDC, just as you > would with any other Kerberos Realm. >
