allowing SSO for other hosts
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Jan 12 17:26:02 EST 2006
Fredrik Tolf wrote:
> On Mon, 2006-01-09 at 09:28 -0600, Douglas E. Engert wrote:
> > Rodrick Brown wrote:
> >> ktadd user/foo1.bar.com
> > Not heeded, users are not in keytabs.
>
> In my experience, that's not just unneeded, but even detrimental.
> When I did that on my MIT KDC (in order to be able to get a TGT with
> kinit -kt ...), it increased the principal's kvno and put a random
> key on that principal, which meant that it wasn't possible to decrypt
> the TGT using a password anymore.
You are correct. Putting a key in the keytab automatically changes the
password for that key, so you usually never want to do that for a user
principal.
-Wyllys
More information about the Kerberos
mailing list