From 826e2b129a1f3c450b2c8452b7fc6497b96316d5 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 6 Jan 2014 21:09:00 -0800 Subject: Fix wallet-rekey on keytabs containing multiple principals Fix wallet-rekey on keytabs containing multiple principals. Previous versions assumed one could concatenate keytab files together to make a valid keytab file, which doesn't work with some Kerberos libraries. This caused new keys downloaded for principals after the first to be discarded. As a side effect of this fix, wallet-rekey always appends new keys directly to the existing keytab file, and never creates a backup copy of that file. Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359 Reviewed-on: https://gerrit.stanford.edu/1369 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- client/wallet-rekey.pod | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'client/wallet-rekey.pod') diff --git a/client/wallet-rekey.pod b/client/wallet-rekey.pod index 47413ad..5892244 100644 --- a/client/wallet-rekey.pod +++ b/client/wallet-rekey.pod @@ -1,6 +1,6 @@ =for stopwords wallet-rekey rekey rekeying keytab -hv Heimdal remctl remctld PKINIT kinit -appdefaults Allbery +appdefaults Allbery kadmin =head1 NAME @@ -21,11 +21,8 @@ from the local default realm, requests new wallet keytab objects for each principal (removing the realm when naming the keytab), and merges the new keys into the keytab. -If an error occurs before any new keys were downloaded, B -aborts. If some new keys were successfully downloaded, B -warns about errors but continues to rekey all principals that it can. In -this case, a copy of the existing keytab prior to the rekeying is saved in -a file named by appending C<.old> to the file name. +If an error occurs, B continues to rekey all principals that +it can, producing error messages for those that it cannot rekey. If no keytab file name is given on the command line, B attempts to rekey F, the system default keytab file. @@ -43,8 +40,10 @@ or: ktutil -k purge -for Heimdal. This functionality will eventually be provided by -B directly. +for Heimdal. The Heimdal command can be run by any user with access to +the keytab, but the MIT Kerberos command unfortunately has to be run by a +someone with direct B access. This functionality will eventually +be provided by B directly. =head1 OPTIONS -- cgit v1.2.3