From 502918bf1cb964693d337be068577bee8e0c9f76 Mon Sep 17 00:00:00 2001
From: gsell <achim.gsell@psi.ch>
Date: Thu, 10 Jul 2025 18:05:39 +0200
Subject: [PATCH] Update pages/merlin7/02-How-To-Use-Merlin/kerberos.md

---
 .../merlin7/02-How-To-Use-Merlin/kerberos.md  | 39 +++++++++++++------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/pages/merlin7/02-How-To-Use-Merlin/kerberos.md b/pages/merlin7/02-How-To-Use-Merlin/kerberos.md
index 1a3a439..45e5212 100644
--- a/pages/merlin7/02-How-To-Use-Merlin/kerberos.md
+++ b/pages/merlin7/02-How-To-Use-Merlin/kerberos.md
@@ -73,25 +73,19 @@ other users.
 
 For generating a **keytab**, one has to:
 
-1. Load a newer Kerberos ( `krb5/1.20` or higher) from Pmodules:
-
-   ```bash
-   module load krb5/1.20
-   ```
-
-2. Create a private directory for storing the Kerberos **keytab** file
+1. Create a private directory for storing the Kerberos **keytab** file
 
    ```bash
    mkdir -p ~/.k5
    ```
 
-3. Run the `ktutil` utility which comes with the loaded `krb5` Pmodule:
+2. Run the `ktutil` utility:
 
    ```bash
    ktutil
    ```
 
-4. In the `ktutil` console, one has to generate a **keytab** file as follows:
+3. In the `ktutil` console, one has to generate a **keytab** file as follows:
 
    ```bash
    # Replace $USER by your username
@@ -100,12 +94,33 @@ For generating a **keytab**, one has to:
    exit
    ```
 
-   Notice that you will need to add your password once. This step is required for generating the **keytab** file.
+   Please note:
+   * That you will need to add your password once. This step is required for generating the **keytab** file.
+   * `ktutil`does **not** report an error if you enter a wrong password! You can test with the `kinit` command documented below. If `kinit` fails with an error message like "pre-authentication failed", this is usually due to a wrong password/key in the keytab file. In this case **you have to remove the keytab file** and re-run the `ktutil` command. See "Updating the keytab file" in the section below.
 
-5. Once back to the main shell, one has to ensure that the file contains the proper permissions:
+### Updating an existing keytab file
+
+After a password change you have to update your **keytab**:
+
+1. Remove the old **keytab** file
 
    ```bash
-   chmod 0600 ~/.k5/krb5.keytab
+   rm -f ~/.k5/krb5.keytab
+   ```
+
+2. Run the `ktutil` utility:
+
+   ```bash
+   ktutil
+   ```
+
+3. In the `ktutil` console, one has to generate a **keytab** file as follows:
+
+   ```bash
+   # Replace $USER by your username
+   add_entry -password -k 0 -f -p $USER
+   wkt /data/user/$USER/.k5/krb5.keytab
+   exit
    ```
 
 ### Obtaining tickets by using keytab files