This patch implements an option to have keytabs destroyed and recreated when they are rekeyed. This add the configuration directive KEYTAB_REPLACE to the wallet configuration. It uses the existing functions to destroy and create the keytab.
Our use case for this behavior is based on a requirement we have to keep the kvno of our deployed keytabs constant. This patch should apply cleanly to the released 1.0 version of wallet. Ross Smith <[email protected]> ------------------------------------------------------------------------------------------- diff --git a/perl/Wallet/Kadmin/MIT.pm b/perl/Wallet/Kadmin/MIT.pm index c191bc9..52720e5 100644 --- a/perl/Wallet/Kadmin/MIT.pm +++ b/perl/Wallet/Kadmin/MIT.pm @@ -187,11 +187,15 @@ sub keytab_rekey { $self->error ("invalid principal name: $principal"); return; } + if ($Wallet::Config::KEYTAB_REPLACE) { + $self->destroy($principal); + $self->create($principal); + } if ($Wallet::Config::KEYTAB_REALM) { $principal .= '@' . $Wallet::Config::KEYTAB_REALM; } my $file = $Wallet::Config::KEYTAB_TMP . "/keytab.$$"; unlink $file; my $command = "ktadd -q -k $file"; if (@enctypes) { @enctypes = map { /:/ ? $_ : "$_:normal" } @enctypes; ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
