ktadd then principal's password no longer works?

Douglas E. Engert deengert at anl.gov
Fri Aug 14 11:24:04 EDT 2009 


Shumon Huque wrote:
> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
>> Again, I must really not understand something.  This
>> principal's password is getting trashed after I use
>> ktadd
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/admin at FOO.COM:
>> kadmin:  ktadd -k admin.kt admin/admin

You are creating a keytab to be used as the admin?
with a random password?

I think you are trying to create a keytab for the admin
using the current password, so you can use either the
password or the keytab.

If so look at the ktutil addent
It does not have to change the KDC database.


>> Entry for principal admin/admin with kvno 9, encryption type Triple DES 
>> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
>> Entry for principal admin/admin with kvno 9, encryption type DES cbc 
>> mode with CRC-32 added to keytab WRFILE:admin.kt.
>> kadmin:  quit
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/admin at FOO.COM:
>> kadmin: Incorrect password while initializing kadmin interface
>>
>> ^^^ tried many times -- had to fix via kadmin.local
> 
> This won't work. ktadd creates a new random key everytime it
> is invoked, thus destroying your earlier password derived
> key. The manpage says:
> 
>      ktadd [-k keytab] [-q] [-e keysaltlist]
>           [principal | -glob princ-exp] [...]
> 
>           Adds a principal or all principals  matching  princ-exp
>           to  a  keytab,  randomizing each principal's key in the
>           process. ...
> 
> I don't think the MIT distro has any tool to do what you want.
> You'd probably need to write a program to extract the password
> derived key directly from the KDB.
> 
> --Shumon.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list