Alexei Korobkin wrote: > Dear All, > > Solaris 5.11 snv_55b x86, non-global zone kdc1, I'm trying to install > Kerberos Master KDC, using Solaris 10 Security Services (816-4557) book. > > If I want to add new principal to keytab, I do > > # /usr/sbin/kadmin.local > kadmin: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com > > And I can see that /etc/krb5/kadm5.keytab grows in size. > > But, if do not specify keytab file, like > # /usr/sbin/kadmin.local > kadmin: ktadd kadmin/kdc1.example.com > > kadm5.keytab is not changed at all, but small new krb5.keytab appears in > /etc/krb5/.
kadm5.keytab is only used to store the administrative principals used by the kadmind. It is only needed if you are running a kadmin daemon process on that host (i.e. only needed on the KDC). You must explicitly specify that you are storing the new keys in the alternate keytab., the default for kadmin is to always write keys to the standard keytab (/etc/krb5/krb5.keytab). kadmin> ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com > > Who makes this file and why? > In /etc/krb5/kdc.conf I have > admin_keytab = /etc/krb5/kadm5.keytab That is correct, that is for the "ADMIN" keytab and as described above it is only needed on a KDC system and is only used by the administrative daemons. > > I searched for krb5.keytab at src.opensolaris.org and found several > places (mainly in GSS_API libs) where this file is mentioned. > > Is there an error in the GSS_API source code or I do something wrong? Perhaps check the online Kerberos documentation (docs.sun.com) for more details about the keytabs and administering the principals. -Wyllys
