Almudena Montiel González <[email protected]> writes: > I have recently deployed the wallet system for streamlining of my > kerberos keytabs. I am using both types supported: files and keytabs. > When using files, I can create them and retrieve with no problem. But > when I use the keytabs I dont get them properly. The key of the keytab > is a failed value.
Sorry about the delay in answering. I was out on vacation. What you're running into is that the default behavior when retrieving a Kerberos keytab is to randomize the key. Therefore, each time the keytab is downloaded, you get a new keytab (and the keys are simultaneously updated in the KDC), invalidating any existing keytab. If you don't want this to happen, you have to set the unchanging flag on the keytab, at which point, if you're using Heimdal, the existing keytab will be retrieved. If you're using MIT Kerberos, you will need to set up the keytab-backend remctl interface on your KDC so that it can extract the existing key for wallet. This is similar to how ktadd works, so most Kerberos folks are used to it, but I've gotten some feedback from other folks that it's confusing to have get randomize the keys for keytabs but not change anything for file objects. I'm considering deprecating get for non-unchanging keytabs and introducing a new command, but I haven't decided yet. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
