Keytab on each client?

Amir Saad Amir.Saad at bibalex.org
Thu Jan 5 02:19:57 EST 2006


 
thanks for your reply
please consider the following example:
i have two clients , A and B , client B is my LDAP server
now i have created a principal for ldap service , if client A wants to connect LDAP using kerberos
the KDC will send two tickets one of them is encrypted by the LDAP principal key, right?
to decrypt it, the client B (which is the LDAP server) must know its key, how ? i mean client B has no keytab file, how it can decrypt the ticket?
i hope you can help
thanks
Amir Saad
Software Engineer

________________________________

From: Paul B. Hill [mailto:pbh at MIT.EDU]
Sent: Wed 1/4/2006 4:16 PM
To: Amir Saad
Subject: RE: Keytab on each client?



No, you should not copy keytabs to clients.

Think of the keytab as being the application server's password, which it
obtains its own tickets from the KDC. If you use this analogy it helps to
guide you in decisions about how you manage keytabs.

Paul

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On Behalf
Of Amir Saad
Sent: Wednesday, January 04, 2006 8:17 AM
To: kerberos at mit.edu
Subject: Keytab on each client?

i installed kerberos successfully and i tested it using a client machine and
it works fine although i didn't copy the keytab to the client.
the question is, if there is a service running on a client machine for
example LDAP , do i have to copy the server keytab to this client ?
thanks
Amir Saad
Software Engineer

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos







More information about the Kerberos mailing list