Goofy :/ I wonder how people script kadmin queries with MIT-krb5.
You know, like, setting every principal's password expiration. Shumon Huque wrote: > On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote: >> Again, I must really not understand something. This >> principal's password is getting trashed after I use >> ktadd >> >> % sudo kadmin -p admin/admin >> Authenticating as principal admin/admin with password. >> Password for admin/[email protected]: >> kadmin: ktadd -k admin.kt admin/admin >> Entry for principal admin/admin with kvno 9, encryption type Triple DES >> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt. >> Entry for principal admin/admin with kvno 9, encryption type DES cbc >> mode with CRC-32 added to keytab WRFILE:admin.kt. >> kadmin: quit >> >> % sudo kadmin -p admin/admin >> Authenticating as principal admin/admin with password. >> Password for admin/[email protected]: >> kadmin: Incorrect password while initializing kadmin interface >> >> ^^^ tried many times -- had to fix via kadmin.local > > This won't work. ktadd creates a new random key everytime it > is invoked, thus destroying your earlier password derived > key. The manpage says: > > ktadd [-k keytab] [-q] [-e keysaltlist] > [principal | -glob princ-exp] [...] > > Adds a principal or all principals matching princ-exp > to a keytab, randomizing each principal's key in the > process. ... > > I don't think the MIT distro has any tool to do what you want. > You'd probably need to write a program to extract the password > derived key directly from the KDB. > > --Shumon. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
