Fwd: [OpenAFS] "reauth" code?

Russ Allbery rra@stanford.edu
Fri, 31 Aug 2012 11:31:17 -0700

Gary Gatling <gsgatlin@ncsu.edu> writes:

> So will I still need to create a keytab for this account?

Yes, that would be my recommendation.

> Is there a good faq on how to do that step if I know the account name
> and password?

If you're using MIT Kerberos, you can use the add_entry command in ktutil
to create a keytab when you know the password, but it's very awkward (you
have to know the kvno and run it repeatedly for each enctype you want).
If you're using Heimdal, the add command to ktutil is, I think, quite a
bit friendlier about such things.

Is it okay to change the password as part of creating the keytab?  If so,
by far the easiest thing to do is to download the keytab like you would
any other keytab (such as a host/* keytab), using kadmin or whatever other
local infrastructure you use.  However, with MIT Kerberos (but not with
Heimdal) this will randomize the key, so the old password will stop

The other option with MIT Kerberos would be to have your KDC administrator
extract a keytab for the existing key by running kadmin.local as root on
the KDC and then using the addprinc -norandkey command (which is only
available in kadmin.local).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>