wallet system

Almudena Montiel Gonzalez almumontiel at gmail.com
Tue Oct 30 04:57:48 EDT 2012


Thank you very much.
Yes, it works perfectly using

  wallet flag set keytab principal unchanging

Is there a way to set this flag automatically? To set by default. I am
using the 'default_owner' function, and it would be great if I could
include it there, o set it as default somewhere.

Cheers,
Almudena

2012/10/30 Russ Allbery <rra at stanford.edu>

> Almudena Montiel González <almumontiel at gmail.com> writes:
>
> > I have recently deployed the wallet system for streamlining of my
> > kerberos keytabs.  I am using both types supported: files and keytabs.
> > When using files, I can create them and retrieve with no problem.  But
> > when I use the keytabs I dont get them properly. The key of the keytab
> > is a failed value.
>
> Sorry about the delay in answering.  I was out on vacation.
>
> What you're running into is that the default behavior when retrieving a
> Kerberos keytab is to randomize the key.  Therefore, each time the keytab
> is downloaded, you get a new keytab (and the keys are simultaneously
> updated in the KDC), invalidating any existing keytab.
>
> If you don't want this to happen, you have to set the unchanging flag on
> the keytab, at which point, if you're using Heimdal, the existing keytab
> will be retrieved.  If you're using MIT Kerberos, you will need to set up
> the keytab-backend remctl interface on your KDC so that it can extract the
> existing key for wallet.
>
> This is similar to how ktadd works, so most Kerberos folks are used to it,
> but I've gotten some feedback from other folks that it's confusing to have
> get randomize the keys for keytabs but not change anything for file
> objects.  I'm considering deprecating get for non-unchanging keytabs and
> introducing a new command, but I haven't decided yet.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>



-- 
Almudena Montiel González


More information about the Kerberos mailing list