On 09/14/2012 02:16 PM, Martin B. Smith wrote: > Thanks Greg and Marcus. It was exactly as you pointed out. Are there any > side effects of rekeying krbtgt@REALMNAME? I'm guessing any existing > TGTs are invalidated, but I haven't reasoned out any other problems that > might occur.
You can use -keepold to avoid invalidating existing TGTs. If you have multiple KDCs, you'll want to force a propagation right after re-keying the krbtgt. During the propagation window, TGS requests may fail if they go to slave KDCs. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
