On Feb 14, 2006, at 3:27 , Juha Jäykkä wrote:
Keytabs are normally not supposed to be shared between multiple
machines, and this approach means that kadmind doesn't need to
have the
capability of retrieving keys from the KDC, which is an additional
separation of capability and an additional level of security.
Except that AFS requires a shared keytab. Nice. :-) What about
(Heimdal's) ktutil, does it have the same "problem" as ktadd? And how
Heimdal's "kt_extract" (kadmin command) extracts a key without
generating a new one. (This is generally considered a bad thing; I
could see it being limited to kadmin's "local mode" in the future.)
Other mechanisms will indeed create a new key.
would an AFS cell recover from the unfortunate human error of an admin
doing the line in the subject? This sounds like a disaster waiting to
happen, there must be an easy way out.
With heimdal you could use ktutil to copy the newly extracted keytab
into the KeyFile:
ktutil copy FILE:mykt AFSKEYFILE:KeyFile
This would still leave all outstanding tokens broken, but "aklog"
should recover once the KeyFile is back in sync with the KDC.
--
brandon s. allbery [linux,solaris,freebsd,perl]
[EMAIL PROTECTED]
system administrator [openafs,heimdal,too many hats]
[EMAIL PROTECTED]
electrical and computer engineering, carnegie mellon university
KF8NH
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
