Using ktadd seems to invalidate the passwd

[Russ Allbery]

Phillip Moore <w.phillip.moore at gmail.com> writes:

> When setting up the environment, I create the principals using:

>    add_principal -pw $principal $principal@$realm

> Then I extract the keytab file for use in the test suite using:

>    ktadd -k /path/to/$principal.keytab $principal

> I've discovered that as soon as I run ktadd, then I can no longer
> manually authenticate as that principal anymore.

> kinit(v5): Password incorrect while getting initial credentials

> I create 8 different users, and extract keytab files for only 3 of them.
> They are all created with the same add_principal command, and I can only
> manually authenticate as the 5 that have NOT had a keytab extracted.

> Now, I'm assuming that the act of extracting the keytab has a side
> effect, but it's not clear how to workaround it.  If I reset the
> password using kadmin, that increments the kvno, which will mean I have
> to re-extract the keytab files, which will make the password invalid,
> which means....

With MIT Kerberos, ktadd over the network always randomizes the keys.  You
have to use kadmin.local with the -norandkey flag (which is only available
in kadmin.local) to extract a keytab without randomizing the keys.

Alternately, you can create a keytab directly from the password rather
than using ktadd, using ktutil add_entry.

Heimdal behaves the way that you desire above; extracting a keytab in
Heimdal doesn't change the keys.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>