Fwd: [OpenAFS] "reauth" code?

Booker Bense bbense@gmail.com
Fri, 31 Aug 2012 11:36:26 -0700


On Fri, Aug 31, 2012 at 10:56 AM, Gary Gatling <gsgatlin@ncsu.edu> wrote:
>

> So will I still need to create a keytab for this account? Is there a good
> faq on how to do that step if I know the account name and password?
>

The "best" way to create a keytab is to randomize the password and use kadmin
to extract the keytab.

If you have a heimdal kdc, you can extract the keytab w/o changing the
password.
The last time I looked the MIT code essentially randomized the
password and updated
the key when you created a keytab via the kadmin interface.

If you have the MIT version of the ktutil command, you can use that to
create a keytab
if you know the password. However, you have to also know the key version number
as well. ( kadmin should tell you this )

ktutil is kind of a weird interface, the command you want is add_entry.

Exactly what you do depends if you need to keep the password for use
by humans or not.

Once you have a keytab, k5start should allow you to do all the things you need.

- Booker C. Bense