Question related to keytab entries upgrade
Roland C. Dowdeswell
elric at imrryr.org
Thu Jan 24 20:42:19 EST 2013
On Thu, Jan 24, 2013 at 03:28:25PM -0500, Greg Hudson wrote:
>
> At the moment, I am more partial to a design using a server kvno
> attribute in the DB entry. It's significantly more work, but (1)
> because keys would still be generated within kadmind, it finesses the
> issue of setkey permissions; and (2) it would allow kinit -k to continue
> to work without requiring the client code to retry with multiple key
> entries.
The client only has to retry if you've enabled preauthentication which
is not strictly necessary for service principals whose keys are random.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the krbdev
mailing list