[14862] in Kerberos
Re: Can we rename a principal yet?
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Aug 1 01:58:33 2001
To: "Christopher P. Lindsey" <lindsey@mallorn.com>
Cc: kerberos@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
Date: 01 Aug 2001 01:56:38 -0400
In-Reply-To: "Christopher P. Lindsey"'s message of "Wed, 1 Aug 2001 00:32:33 -0500"
Message-ID: <ldv3d7c5nmx.fsf@saint-elmos-fire.mit.edu>
>>>>> "lindsey" == Christopher P Lindsey <lindsey@mallorn.com> writes:
lindsey> Yes, I know it's a FAQ, and yes, I know the key is (usually)
lindsey> salted with the entire principal name.
This still isn't quite possible yet through the kadm5 API; it is
tentatively on our todo list for the next release.
lindsey> As an aside, is there any way to specify an alternative salt
lindsey> via kadmin? The docs indicate that you can do '-e
lindsey> enctype:salttype' or even '-salt salttype', but neither
lindsey> appears to work for me. I can change/add it in kdc.conf, but
lindsey> that's not too exciting either.
Are you using the "-e" flag when invoking kadmin from the shell, or
are you passing it as a flag to the cpw or addprinc commands while
inside kadmin? The latter will work if you're running a recent enough
kadmin client and server, while the former will only work if you're
using kadmin.local, not kadmin.
The "supported_enctypes" variable in kdc.conf should change the
default for kadmin.local and kadmind, but that's probably a bigger
hammer than you want to use. The variable name is rather
misleading, unfortunately.
I do not think there is currently a way to specify an explicit string
as a salt string to any of the kadm5 programs; you're stuck with
selecting from the set of existing algorithmically determined salt
strings.
---Tom
