Default client keytab name

Nico Williams nico at
Sat Jul 21 22:42:38 EDT 2012

On Sat, Jul 21, 2012 at 9:22 PM, Danilo Almeida <dalmeida at> wrote:
> Some further refinement on my thinking:
> The acceptor keytab at /etc/krb5.keytab is locked down to root, right?  So
> perhaps we should have uid 0's client keytab at /etc/krb5.client.keytab.
> If so, then option (2) could be the mirror of that for a root acceptor
> keytab.  Then option 1 could be used for all uids != 0.  In theory, an
> acceptor keytab could be stored there as well.  The file part of the name
> could be <uid>.keytab for acceptor and <uid>.client.keytab for initiator.
> This would make it so when you copy the keytabs, they would not stomp over
> each other if they end up in the same directory.

That works for me.

> So my preference is for option 1 and option 2, where option 1 applies to uid
> != 0 and option 2 applies to uid = 0.   Thoughts?
> Is the file format for client (initiator) vs acceptor keytabs fundamentally
> different?  Is that why the .clkeytab extension is used?  If so, I'm back on
> board with .clkeytab (instead of .client.keytab).  In fact, I think that I
> am warming up to .clkeytab regardless.

No, it's the same format.  We should not introduce a new file type suffix, IMO.

More information about the krbdev mailing list