ktadd then principal's password no longer works?

[Jeff Blaine]

Goofy :/

I wonder how people script kadmin queries with MIT-krb5.

You know, like, setting every principal's password expiration.

Shumon Huque wrote:
> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
>> Again, I must really not understand something.  This
>> principal's password is getting trashed after I use
>> ktadd
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/admin at FOO.COM:
>> kadmin:  ktadd -k admin.kt admin/admin
>> Entry for principal admin/admin with kvno 9, encryption type Triple DES 
>> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
>> Entry for principal admin/admin with kvno 9, encryption type DES cbc 
>> mode with CRC-32 added to keytab WRFILE:admin.kt.
>> kadmin:  quit
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/admin at FOO.COM:
>> kadmin: Incorrect password while initializing kadmin interface
>>
>> ^^^ tried many times -- had to fix via kadmin.local
> 
> This won't work. ktadd creates a new random key everytime it
> is invoked, thus destroying your earlier password derived
> key. The manpage says:
> 
>      ktadd [-k keytab] [-q] [-e keysaltlist]
>           [principal | -glob princ-exp] [...]
> 
>           Adds a principal or all principals  matching  princ-exp
>           to  a  keytab,  randomizing each principal's key in the
>           process. ...
> 
> I don't think the MIT distro has any tool to do what you want.
> You'd probably need to write a program to extract the password
> derived key directly from the KDB.
> 
> --Shumon.
>