Description of problem: create password for user with ank -pw $rootpass host/test.$domain Then adding to keytab erases password. Version-Release number of selected component (if applicable): # rpm -qa krb5-* krb5-server-ldap-1.6.1-26.el5ipa krb5-libs-1.6.1-30.el5 krb5-workstation-1.6.1-30.el5 krb5-auth-dialog-0.7-1 krb5-server-1.6.1-30.el5 krb5-libs-1.6.1-30.el5 How reproducible: always Steps to Reproduce: kdb5_util create -s -P $kdcpass echo "Starting services" service kadmin start service krb5kdc start echo "Creating user $user credentials" kadmin.local -q "addprinc -pw $rootpass root/admin" kadmin.local -q "addprinc -randkey host/$host" kadmin.local -q "ktadd host/$host" useradd $user echo $syspass | passwd --stdin $user kadmin.local -q "addprinc -pw $krbpass $user" echo $syspass | kinit $user kadmin.local -q "ank -randkey DNS/`hostname`" kadmin.local -q "ktadd DNS/`hostname`" kadmin.local -q "ank -pw $rootpass host/test.$domain" kadmin.local -q "ktadd host/test.$domain" ^when i do "ktadd", then password is erased and i have to set up password manually, i cannot connect after these command with "kinit client" kinit host/test.$domain ## i write me $rootpass here Actual results: password is incorrect, when record is added to keytab. I cannot connect with kinit host/test.$domain Expected results: password is not erased Additional info: without line kadmin.local -q "ktadd host/test.$domain" everything works as I expected and password is $rootpass.
That's how kadmin's "ktadd" command works -- it generates a new randomized key for the principal, sets it on the KDC (note: the key is sent from the client to the KDC, never the other way), and then stores a copy in the indicated keytab. To get the result you're expecting, you need to use ktutil's "addent" command instead.
ok thank much for explanation