Streamlining host principal keytab provisioning?

[Russ Allbery]

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> And then I tried to get that keytab from the clien (host.domain.org): 

> $wallet -f file  get keytab nfs/host.domain.org -s server.domain.org
> wallet: error creating keytab for nfs/host.domain.org at REALM: Operation requires ``change-password'' privilege while changing nfs/host.domain.org at REALM's key

> change-password privileges, it refers to the wallet service, the
> database service or the kerberos service?

It refers to the wallet service: service/wallet at REALM.  Usually this means
that the kadm5.acl line for service/wallet isn't complete.  It should be
something like:

service/wallet at test-k5.stanford.edu     admci   host/*@test-k5.stanford.edu
service/wallet at test-k5.stanford.edu     admci   nfs/*@test-k5.stanford.edu

(with a different realm, of course, and whatever other principal patterns
you want wallet to be able to manage).

> I tried to get that keytab from kadmin using the principal
> service/walllet and I managed locally. Therefore, I believe is not a
> kerberos probem.

Hm, yes, that is interesting.  I'm not sure what could be going on there.
It might help to check the kadmind logs on the KDC when wallet fails to
change the key.  Note that you need different privileges to create the
principal in the first place (a) versus downloading a new keytab and
thereby randomizing the key again (c), which might explain it (or might
not).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>