Gary Gatling <[email protected]> writes: > So will I still need to create a keytab for this account?
Yes, that would be my recommendation. > Is there a good faq on how to do that step if I know the account name > and password? If you're using MIT Kerberos, you can use the add_entry command in ktutil to create a keytab when you know the password, but it's very awkward (you have to know the kvno and run it repeatedly for each enctype you want). If you're using Heimdal, the add command to ktutil is, I think, quite a bit friendlier about such things. Is it okay to change the password as part of creating the keytab? If so, by far the easiest thing to do is to download the keytab like you would any other keytab (such as a host/* keytab), using kadmin or whatever other local infrastructure you use. However, with MIT Kerberos (but not with Heimdal) this will randomize the key, so the old password will stop working. The other option with MIT Kerberos would be to have your KDC administrator extract a keytab for the existing key by running kadmin.local as root on the KDC and then using the addprinc -norandkey command (which is only available in kadmin.local). -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
