We here require the person reloading a machine to be authorized to reload it. That means that we can ask for a principal and password to get started. From there we have an internally developed system that we are working to replace with wallet to handle our keytab creation for new hosts and hosts that have changed names.
One other option we have looked at (and eventually are going to implement) is giving hosts that are set to be reloaded a keytab that is authorized to reload any host. This does pose some security concerns if other parts of your environment aren't under some sort of acl control. Ross Smith <[email protected]> College of Engineering - CAEN - Unix and Linux Support On Mon, Oct 22, 2012 at 8:51 PM, Jaap Winius <[email protected]> wrote: > On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote: > > > remctl doesn't, as yet, have support for anonymous PKINIT, although it's > > something that I want to add. > > Then perhaps remctl is currently not part of a solution to this problem. > Is there any way at all to automatically create a keytab on a newly > installed host? > > Thanks, > > Jaap > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
