[Freeipa-users] ipa and cronjob
Anthony Messina
amessina at messinet.com
Wed Nov 14 18:14:44 UTC 2012
On Wednesday, November 14, 2012 09:42:03 AM Petr Spacek wrote:
> >> Just FYI, this is not strictly true, look at the -P, --password option
> >> of ipa-getkeytab
> >
> > Thanks. I didn't notice that option since I'd been using this method
> > since
> > before I started using IPA.
> >
> > Is the password used to genterate a principle still usable after a keytab
> > has been exported? I seem to remember from my pre-IPA days of using a
> > plain old standalone MIT KDC that I couldn't use the password to
> > authenticate after they keytab had been exported using kadmin. Again, I
> > never really investigated it, but the password never seemed to work after
> > the keytab was exported.
> Kadmin from original MIT Kerberos has to flavors: kadmin and kadmin.local.
>
> Only "kadmin.local" (which works locally on KDC) can export keytab without
> re-generating key (i.e. password).
>
> Network version - "kadmin" - have to re-generate key before each export.
Petr, you are right. I never knew that distinction between kadmin and
kadmin.local. It was kadmin that I would use on remote machines to export the
keytab, rendering the original password useless.
Thanks for the info. -A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121114/1f777f15/attachment.sig>
More information about the Freeipa-users
mailing list