Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

Nico Williams nico at cryptonector.com
Wed Jun 28 23:07:52 CEST 2017

On Wed, Jun 28, 2017 at 12:08:31AM -0500, Nico Williams wrote:
> We do need better key mgmt support though.  It'd nice to have automatic
> rekeying and expunging of keys too old to be needed for decrypting
> extant live tickets.

Viktor points out that we do have server-side (in libkadm5, thus
kadmind) support for optional automatic expunging old keys in
kadm5_setkey_principal_3().  We have it for krb5_admin/krb5_keytab :)

We want to add client-side support as well.

We also need client-side support for automatic keytab entry expunge as


More information about the Heimdal-discuss mailing list