On Wed, 2012-11-14 at 00:22 -0600, Anthony Messina wrote: > On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote: > > On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote: > > > 1. Using automatic login with the lightdm display manager, I have it > > > run the > > > following script to remove any old Kerberos ccaches, then obtain a new > > > ticket > > > on behalf of the user, and set the appropriate permissions and > > > SELinux > > > context. Note that in this case, I echo the password to kinit -- If > > > I > > > exported a keytab, I would not be able to manually login with a known > > > password > > > if there were a problem. > > > > Just FYI, this is not strictly true, look at the -P, --password option > > of ipa-getkeytab > > Thanks. I didn't notice that option since I'd been using this method since > before I started using IPA. > > Is the password used to genterate a principle still usable after a keytab has > been exported? I seem to remember from my pre-IPA days of using a plain old > standalone MIT KDC that I couldn't use the password to authenticate after > they > keytab had been exported using kadmin. Again, I never really investigated > it, > but the password never seemed to work after the keytab was exported.
If you ask kadmin to randomize the password, then you are basically *changing* the password at the time you export the keytab with a random one, so your *old* password won't work anymore and you do not know the new random one. But if you tell ipa-getkeytab to use a specific secret when generating the keytab that is what is used to generate the new keys, so whether you use pre-computed hashes in the keytab or manually regenerate them at kinit time using a password it makes no difference. Of course if you then change your password or get a new keytab you will change again keys so the repvious password/keytab won't work anymore. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
