Doubts managing keytabs

Lisandro Damián Nicanor Pérez Meyer perezmeyer at gmail.com
Thu Sep 26 12:00:03 EDT 2013 

Hi! This is my first post here and I'm surely a newbie in respect of Kerberos, 
so please do not heasitate to point me to the right mailinglist/documentation 
if needed. In other words, RTFMs with proper pointers are much welcomed ;)

I have so far managed to set up MIT Kerberos under Debian Wheezy using LDAP as 
DB. I managed to create principals like host/machine.example.com at EXAMPLE.COM 
tied to LDAP entries like host=machine.example.com,ou=host,dc=example,dc=com, 
got keytabs for them and then managed to get users logged into machine using 
LDAP+Kerberos. So far so good.

My doubts arises when I need to create another principal for the same host, 
let's say, automount/machine.example.com. For what I understand until now, I 
could use two different methods wrt LDAP:

a) create another branch in the LDAP tree using ou=automount instead of 
ou=host
b) use the same entries in ou=host adding another krbPrincipalName with LDAP 
and then creating the associated principal.

Of course both options above with proper olcAuthzRegexp in cn=config. I 
choosed to go with option (b) and I *think* that so far I got everything right 
up to that point.

So, no matter what option I choosed above, a keytab management doubt arises.

Let's suppose I create a keytab for automount/m.e.c. I could then use ktutil 
to merge it with the previously generated host/m.e.c keytab, put it in the 
right place in machine.e.c and be done. Is that correct?

Now another question arises: do I have to have the keytab for host/m.e.c at 
hand for doing this or could I do it directly form kadmin?

And finally, where I can read wrt keytab managing, what does KVNO means in 
klist's output, etc?

Thanks a lot in advance, Lisandro.

-- 

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20130926/3beb5544/attachment.bin

More information about the Kerberos mailing list