Josh via FreeIPA-users wrote:
On 05/12/2018 01:53 AM, Alexander Bokovoy wrote:
On pe, 11 touko 2018, Josh wrote:
On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:
On to, 10 touko 2018, Josh via FreeIPA-users wrote:
Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why ktutil
can't be used as described in https://kb.iu.edu/d/aumh?
Does ipa makes ktutil not functional?
Can you show output of
kinit admin
kvno admin
klist -ef
I suspect your admin password did change over time so it has a different
kvno value than what you have used in ktutil's addent (-k 1).
I modified a script posted on
https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs
to create a simple test case:
#!/bin/bash
user=admin
read -sp "${user}'s pass:" pass
echo
kinit $user
KVNO=$(kvno "$user" | awk '{print $NF}')
ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
printf "%b" "addent -password -p $user -k $KVNO -e
$ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil
printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
kinit -k -t $user.keytab $user
The result when ran from an IPA host is the same error as before: kinit:
Preauthentication failed while getting initial credentials despite the
fact that KVNO numbers match.
Could anyone confirm that admin keytab acquired via ipa_getkeytab is
working and if yes then what is the difference from above method?
ipa-getkeytab works for me, I don't know why ktutil isn't working but we
do zero testing using this.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org