[OpenAFS] Re: Cron Jobs for "Regular" Users

Russ Allbery rra@stanford.edu
Thu, 28 Jan 2010 12:57:42 -0800


Holger Rauch <holger.rauch@empic.de> writes:
> On Thu, 28 Jan 2010, Russ Allbery wrote:

>> [...] 
>> ktadd -norandkey will do this automatically.  ktutil doesn't seem like the
>> right tool to use if you're using MIT Kerberos (it's the right tool to use
>> if you're using Heimdal).

> The problem is that I don't want to "destroy" my regular user's
> princ. (I'm afraid that once I ktadd a princ to a keytab, I can't login
> anymore interactively using that principal because of the increased
> kvno). In case I'm wrong, please feel free to correct me. (I would have
> preferred to use ktadd right from the start, but the aforementioned
> fears kept me away from using it).

That's why you have to use -norandkey.  That's what it does.  By default,
kadmin ktadd will randomize the key, but -norandkey extracts the existing
key from the KDC.  It's only available in kadmin.local, not in kadmin.

If you know the password, you should also be able to create a keytab with
ktutil, which I suspect is the path you were going down, but you will need
to get the kvno and enctype correct when using add_entry.  You should only
need one entry with whatever enctype you want to use, though.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>