[32801] in Kerberos
Re: Using ktadd seems to invalidate the passwd
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Oct 12 12:25:57 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <AANLkTik9P+A5UUtsug6weEFHDEcaN8G824aho78gs_e-@mail.gmail.com>
(Phillip Moore's message of "Tue, 12 Oct 2010 12:06:25 -0400")
Date: Tue, 12 Oct 2010 09:25:43 -0700
Message-ID: <8739sbe5tk.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Phillip Moore <w.phillip.moore@gmail.com> writes:
> When setting up the environment, I create the principals using:
> add_principal -pw $principal $principal@$realm
> Then I extract the keytab file for use in the test suite using:
> ktadd -k /path/to/$principal.keytab $principal
> I've discovered that as soon as I run ktadd, then I can no longer
> manually authenticate as that principal anymore.
> kinit(v5): Password incorrect while getting initial credentials
> I create 8 different users, and extract keytab files for only 3 of them.
> They are all created with the same add_principal command, and I can only
> manually authenticate as the 5 that have NOT had a keytab extracted.
> Now, I'm assuming that the act of extracting the keytab has a side
> effect, but it's not clear how to workaround it. If I reset the
> password using kadmin, that increments the kvno, which will mean I have
> to re-extract the keytab files, which will make the password invalid,
> which means....
With MIT Kerberos, ktadd over the network always randomizes the keys. You
have to use kadmin.local with the -norandkey flag (which is only available
in kadmin.local) to extract a keytab without randomizing the keys.
Alternately, you can create a keytab directly from the password rather
than using ktadd, using ktutil add_entry.
Heimdal behaves the way that you desire above; extracting a keytab in
Heimdal doesn't change the keys.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
