[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

[Russ Allbery]

Adam Megacz <megacz@cs.berkeley.edu> writes:
> Russ Allbery <rra@stanford.edu> writes:

>> ktadd changes the key.

> I am: dumbfounded.

> Dare I ask if there was a reason for this decision?  Other than causing
> me grief, of course.

Keytabs are normally not supposed to be shared between multiple machines,
and this approach means that kadmind doesn't need to have the capability
of retrieving keys from the KDC, which is an additional separation of
capability and an additional level of security.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>