propagation of new service principal keys
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Mar 10 13:36:56 EST 2017
>- service admin can put in a second/new keytab that has both keys, wait
>some length of time, then put in a third/new keytab that has just the
>new key. It's an extra step for the service admin, though?
This is what we do (well, it's automated). You kind of need to do this
anyway regardless of propagation delay; a cached service ticket can be
hanging around for a long time.
--Ken
More information about the Kerberos
mailing list