>- service admin can put in a second/new keytab that has both keys, wait >some length of time, then put in a third/new keytab that has just the >new key. It's an extra step for the service admin, though?
This is what we do (well, it's automated). You kind of need to do this anyway regardless of propagation delay; a cached service ticket can be hanging around for a long time. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos