Thank you very much. Yes, it works perfectly using wallet flag set keytab principal unchanging
Is there a way to set this flag automatically? To set by default. I am using the 'default_owner' function, and it would be great if I could include it there, o set it as default somewhere. Cheers, Almudena 2012/10/30 Russ Allbery <[email protected]> > Almudena Montiel González <[email protected]> writes: > > > I have recently deployed the wallet system for streamlining of my > > kerberos keytabs. I am using both types supported: files and keytabs. > > When using files, I can create them and retrieve with no problem. But > > when I use the keytabs I dont get them properly. The key of the keytab > > is a failed value. > > Sorry about the delay in answering. I was out on vacation. > > What you're running into is that the default behavior when retrieving a > Kerberos keytab is to randomize the key. Therefore, each time the keytab > is downloaded, you get a new keytab (and the keys are simultaneously > updated in the KDC), invalidating any existing keytab. > > If you don't want this to happen, you have to set the unchanging flag on > the keytab, at which point, if you're using Heimdal, the existing keytab > will be retrieved. If you're using MIT Kerberos, you will need to set up > the keytab-backend remctl interface on your KDC so that it can extract the > existing key for wallet. > > This is similar to how ktadd works, so most Kerberos folks are used to it, > but I've gotten some feedback from other folks that it's confusing to have > get randomize the keys for keytabs but not change anything for file > objects. I'm considering deprecating get for non-unchanging keytabs and > introducing a new command, but I haven't decided yet. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> > -- Almudena Montiel González ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
