Question related to keytab entries upgrade

Roland C. Dowdeswell elric at
Thu Jan 24 20:42:19 EST 2013

On Thu, Jan 24, 2013 at 03:28:25PM -0500, Greg Hudson wrote:

> At the moment, I am more partial to a design using a server kvno
> attribute in the DB entry.  It's significantly more work, but (1)
> because keys would still be generated within kadmind, it finesses the
> issue of setkey permissions; and (2) it would allow kinit -k to continue
> to work without requiring the client code to retry with multiple key
> entries.

The client only has to retry if you've enabled preauthentication which
is not strictly necessary for service principals whose keys are random.

    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the krbdev mailing list