Using a master key and principal name to derive password for principal

Ts7 Coe tm3y at
Wed Oct 16 06:33:29 EDT 2019

> Then you don't actually need keys at all. If no one is going to
make an AS_REQ or TGS_REQ with the principal as a target, then you
do not need keys.

The principals will authenticate with each other, so any principal could
be a target of TGS_REQ. So I thinks there still must be keys for every

> Try to not set entry.key_data and entry.n_key_data (where entry is
krb5_db_entry structure) fields. We do this in FreeIPA for principals
that have no key associated and it works for PKINIT. It works just fine.

I thinks this operation is identical with purgekeys command? Then it could
also make the principal unable to be a server role.

I think principal still need keys in my scenario.

More information about the krbdev mailing list