ktadd then principal's password no longer works?
Shumon Huque
shuque at isc.upenn.edu
Fri Aug 14 11:12:07 EDT 2009
On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
> Again, I must really not understand something. This
> principal's password is getting trashed after I use
> ktadd
>
> % sudo kadmin -p admin/admin
> Authenticating as principal admin/admin with password.
> Password for admin/admin at FOO.COM:
> kadmin: ktadd -k admin.kt admin/admin
> Entry for principal admin/admin with kvno 9, encryption type Triple DES
> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
> Entry for principal admin/admin with kvno 9, encryption type DES cbc
> mode with CRC-32 added to keytab WRFILE:admin.kt.
> kadmin: quit
>
> % sudo kadmin -p admin/admin
> Authenticating as principal admin/admin with password.
> Password for admin/admin at FOO.COM:
> kadmin: Incorrect password while initializing kadmin interface
>
> ^^^ tried many times -- had to fix via kadmin.local
This won't work. ktadd creates a new random key everytime it
is invoked, thus destroying your earlier password derived
key. The manpage says:
ktadd [-k keytab] [-q] [-e keysaltlist]
[principal | -glob princ-exp] [...]
Adds a principal or all principals matching princ-exp
to a keytab, randomizing each principal's key in the
process. ...
I don't think the MIT distro has any tool to do what you want.
You'd probably need to write a program to extract the password
derived key directly from the KDB.
--Shumon.
More information about the Kerberos
mailing list