On Tue, Jan 29, 2002 at 04:07:57PM -0600, Rick wrote: > Under what circumstances would my host have a shared secret with the KDC? > Note: I moved the keytab file to a directory not in my my path and I could > still kinit the Win2k KDC. I'm still trying to figure out why MS said I > need the keytab file on the unix host. Based on Sean's response I'm > inclined to believe the only reason is that my host would automatically > authenticate with the KDC (if necessary) when someone logs into it.
> If that's true, logically it would make sense that the principal password is > stored in the keytab file. The contents of this file should then be the > same as the result of the encrypt/hash algorithm kinit uses. True? > If all that's true then it would stand to reason that the file isn't > necessary unless someone logs into my unix host. Let me further qualify > that by adding the exemption of kerberized software that is capable of using > a keytab file to automate authentication. Am I right? If you will be running anything on your Unix host that will authenticate against the Kerberos realm, you MUST have a keytab on that host. If all authentication for services (including login) running on the Unix host is handled against a local password database, and your users will only be running kinit after login in order to acquire additional network credentials, then no keytab is needed. Steve Langasek postmodern programmer
