Encryption type troubles
Greg Hudson
ghudson at MIT.EDU
Fri Sep 14 14:31:01 EDT 2012
On 09/14/2012 02:16 PM, Martin B. Smith wrote:
> Thanks Greg and Marcus. It was exactly as you pointed out. Are there any
> side effects of rekeying krbtgt at REALMNAME? I'm guessing any existing
> TGTs are invalidated, but I haven't reasoned out any other problems that
> might occur.
You can use -keepold to avoid invalidating existing TGTs.
If you have multiple KDCs, you'll want to force a propagation right
after re-keying the krbtgt. During the propagation window, TGS requests
may fail if they go to slave KDCs.
More information about the Kerberos
mailing list