Antwort: Newbie question on keytab -- no need for this on clients, right? [Virus checked]
denis.havlik@t-mobile.at
denis.havlik at t-mobile.at
Tue Apr 13 04:19:09 EDT 2004
>answered, so I'm going to ask: the keytab folder in the MIT source code
>is only needed for application servers or KDCs, right? There's no need
Think of the keytab file as of a file that contains a password, and
remember that "both sides" need to prove who they are in a kerberised
world.
As long as some user runs kinit interactively, there is no need for a
keytab. On the other hand, you need a keytab for any program that runs
automatically, and wants to communicate with other programs. This includes
all network services, but may also include some cron jobs that you want to
run.
For instance, you could have automated backup routine, with central server
and clients on all the PCs. If this service is kerberised, you will need a
keytab on every client.
Btw, you can have more than one keytab file, each readible only by the
user (service) that owns it.
regards
DenissFrom denis.havlik at t-mobile.at Tue Apr 13 04:23:16 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3D8NGos026123
for <kerberos at PCH.mit.edu>; Tue, 13 Apr 2004 04:23:16 -0400 (EDT)
Received: from mail1.t-mobile.at (mail1.t-mobile.at [213.162.65.1])
i3D8N7rE015314
for <kerberos at mit.edu>; Tue, 13 Apr 2004 04:23:08 -0400 (EDT)
Received: from maxmr.t-mobile.at ([213.162.65.14])
by mail1.t-mobile.at (mail1.t-mobile.at [213.162.65.1])
(MDaemon.PRO.v7.1.0g.R)
with ESMTP id 26-md50000017145.msg
for <kerberos at mit.edu>; Tue, 13 Apr 2004 10:23:05 +0200
Received: from wien31.t-mobile.at (svnotes1.maxmobil.at [195.5.66.31])
ESMTP id 1DE6097C56
for <kerberos at mit.edu>; Tue, 13 Apr 2004 10:11:27 +0200 (CEST)
To: kerberos at mit.edu
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 5.0.10 March 22, 2002
Message-ID: <OF179080DA.9AB9175F-ONC1256E75.002DD607-C1256E75.002E0956 at t-mobile.at>
From: denis.havlik at t-mobile.at
Date: Tue, 13 Apr 2004 10:22:50 +0200
X-Priority: 3 (Normal)
X-MIMETrack: Serialize by Router on Wien31/T-Mobile/AT(Release 5.0.12
|February 13, 2003) at 13.04.2004 10:22:48,
Serialize complete at 13.04.2004 10:22:48
X-Spam-Processed: mail1.t-mobile.at, Tue, 13 Apr 2004 10:23:05 +0200
(not processed: message from valid local sender)
X-MDRemoteIP: 213.162.65.14
X-Return-Path: denis.havlik at t-mobile.at
X-MDaemon-Deliver-To: kerberos at mit.edu
X-MDAV-Processed: mail1.t-mobile.at, Tue, 13 Apr 2004 10:23:07 +0200
X-Mailman-Approved-At: Tue, 13 Apr 2004 16:02:14 -0400
Content-Type: text/plain; charset="us-ascii"
X-Content-Filtered-By: Mailman/MimeDel 2.1
Subject: Antwort: Re: Windows with MIT krb5 and OpenLDAP [Virus checked]
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 13 Apr 2004 08:23:17 -0000
>> MIT + AD also works, if you set up cross-realm auth (AD trusts MIT, MIT
>> doesn't trust AD works)
>This is another thing: creating an AD server, and for all newly created
>principal/afs users I will have to create a user on the AD server... A
>middle-way solution...
Btw, anyone knows of some scripts that can keep AD server synchronised
with the LDAP/Kerberos accounts?
thx
Denis
More information about the Kerberos
mailing list