wallet system
Almudena Montiel Gonzalez
almumontiel at gmail.com
Tue Oct 30 04:57:48 EDT 2012
Thank you very much.
Yes, it works perfectly using
wallet flag set keytab principal unchanging
Is there a way to set this flag automatically? To set by default. I am
using the 'default_owner' function, and it would be great if I could
include it there, o set it as default somewhere.
Cheers,
Almudena
2012/10/30 Russ Allbery <rra at stanford.edu>
> Almudena Montiel González <almumontiel at gmail.com> writes:
>
> > I have recently deployed the wallet system for streamlining of my
> > kerberos keytabs. I am using both types supported: files and keytabs.
> > When using files, I can create them and retrieve with no problem. But
> > when I use the keytabs I dont get them properly. The key of the keytab
> > is a failed value.
>
> Sorry about the delay in answering. I was out on vacation.
>
> What you're running into is that the default behavior when retrieving a
> Kerberos keytab is to randomize the key. Therefore, each time the keytab
> is downloaded, you get a new keytab (and the keys are simultaneously
> updated in the KDC), invalidating any existing keytab.
>
> If you don't want this to happen, you have to set the unchanging flag on
> the keytab, at which point, if you're using Heimdal, the existing keytab
> will be retrieved. If you're using MIT Kerberos, you will need to set up
> the keytab-backend remctl interface on your KDC so that it can extract the
> existing key for wallet.
>
> This is similar to how ktadd works, so most Kerberos folks are used to it,
> but I've gotten some feedback from other folks that it's confusing to have
> get randomize the keys for keytabs but not change anything for file
> objects. I'm considering deprecating get for non-unchanging keytabs and
> introducing a new command, but I haven't decided yet.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
--
Almudena Montiel González
More information about the Kerberos
mailing list