OSF DCE Administration Guide--Core Components
Creating and Maintaining Accounts
31.6.1.2 Server and Machine Key Version Numbers
When keys are added to the keytab file, each is assigned a version number that ranges
from 1 to 255. Whenever server or machine keys change (automatically or explicitly),
the key’s version number is incremented. Version numbers allow two or more keys to
exist for any given server or machine. When keys are changed, any servers or machines
that are still using tickets granted under the older unchanged version of the key run
without interruption until the ticket expires naturally. When the ticket expires, the
server or machine reauthenticates and obtains the new key.
If you use the -registry option to the keytab add command, old keys are automatically
deleted, if possible. If you do not use this option, you should occasionally list the
contents of the keytab file by using the keytab list command, and use the keytab delete
command to delete any old versions that are obsolete.
Note: Take care when you are deleting keys from the keytab file. When
principal keys are changed, tickets can exist that are based on the key that
you deleted. If you delete a key from the keytab file, any active tickets that
are based on the deleted key will not be accepted by servers, and clients
holding those tickets will get authentication failures.
31.6.2 Creating and Maintaining Keys and Keytab Files
Two commands allow you to create key entries:
keytab create Creates keytab files, the keytab file entries, and the dced keytab
object.
keytab add Adds key entries to existing keytab files.
When you run both commands, you supply the name of the keytab file to either create or
modify.
Table 31-2 lists the other options you can supply to the keytab create and add
commands.
124243 Tandem Computers Incorporated 31− 15