wallet system

[Russ Allbery]

Almudena Montiel González <almumontiel at gmail.com> writes:

> I have recently deployed the wallet system for streamlining of my
> kerberos keytabs.  I am using both types supported: files and keytabs.
> When using files, I can create them and retrieve with no problem.  But
> when I use the keytabs I dont get them properly. The key of the keytab
> is a failed value.

Sorry about the delay in answering.  I was out on vacation.

What you're running into is that the default behavior when retrieving a
Kerberos keytab is to randomize the key.  Therefore, each time the keytab
is downloaded, you get a new keytab (and the keys are simultaneously
updated in the KDC), invalidating any existing keytab.

If you don't want this to happen, you have to set the unchanging flag on
the keytab, at which point, if you're using Heimdal, the existing keytab
will be retrieved.  If you're using MIT Kerberos, you will need to set up
the keytab-backend remctl interface on your KDC so that it can extract the
existing key for wallet.

This is similar to how ktadd works, so most Kerberos folks are used to it,
but I've gotten some feedback from other folks that it's confusing to have
get randomize the keys for keytabs but not change anything for file
objects.  I'm considering deprecating get for non-unchanging keytabs and
introducing a new command, but I haven't decided yet.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>