[OpenAFS] Re: Cron Jobs for "Regular" Users
Thu, 28 Jan 2010 12:57:42 -0800
Holger Rauch <firstname.lastname@example.org> writes:
> On Thu, 28 Jan 2010, Russ Allbery wrote:
>> ktadd -norandkey will do this automatically. ktutil doesn't seem like the
>> right tool to use if you're using MIT Kerberos (it's the right tool to use
>> if you're using Heimdal).
> The problem is that I don't want to "destroy" my regular user's
> princ. (I'm afraid that once I ktadd a princ to a keytab, I can't login
> anymore interactively using that principal because of the increased
> kvno). In case I'm wrong, please feel free to correct me. (I would have
> preferred to use ktadd right from the start, but the aforementioned
> fears kept me away from using it).
That's why you have to use -norandkey. That's what it does. By default,
kadmin ktadd will randomize the key, but -norandkey extracts the existing
key from the KDC. It's only available in kadmin.local, not in kadmin.
If you know the password, you should also be able to create a keytab with
ktutil, which I suspect is the path you were going down, but you will need
to get the kvno and enctype correct when using add_entry. You should only
need one entry with whatever enctype you want to use, though.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>