keytab, kvno, ktadd, and existing tickets

Chris Hecker checker at d6.com
Sat Jul 23 03:33:50 EDT 2011


> what breaks you is that the keys change and you didn't expect that.

Ah, I think I'm confused by what a "key" is.  I thought it was just the 
password for the principal.  What changes about it?

Oh, wait, from reading this, it looks like ktadd actually changes the 
password itself, it doesn't just dump it into the file...

http://mailman.mit.edu/pipermail/kerberos/2009-August/015203.html

...oh, and look, that's in man kadmin now that I look closer.  Oops.

And yeah, a ktexport command would be nice in kadmin.  Maybe I'll look 
at doing that if I have to do this more often.  This was only during 
testing, so hopefully it won't be too common of an occurance.

Chris


On 2011/07/23 00:07, Nico Williams wrote:
> ktadd does not "extract" keys.  It sets new ones.  The fact that the
> kvno changes is a side issue -- what breaks you is that the keys
> change and you didn't expect that.  MIT krb5 has no other tool to
> extract keys without changing them.  However, you can use the -keepold
> option to make this a little more tolerable.  The MIT kadm5 API does
> allow you to extract keys, but only on the KDC proper (i.e, only when
> using libkadm5srv).
>
> If you really need this you might try
> http://oskt.secure-endpoints.com/krb5_admin.html
> (http://oskt.secure-endpoints.com/git/krb5_admin).  krb5_admin allows
> you to extract keytabs and works with MIT krb5.  If you don't go with
> this approach then I recommend what you suggested: ktadd on one server
> and copy the keytab to the others (if need be using ktutil to merge
> keytabs).
>
> Incidentally, Heimdal's kadmin client also can extract keys without
> setting new ones, but only with Heimdal kadmind.
>
> Nico
> --
>



More information about the Kerberos mailing list