On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't happen to still have that laying around, do you?
A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell.
On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script:kinit -k admin -t /root/keytabI've tried various approaches using ktutil and kadmin but haven't had any success just yet.Review archives of this mailing list for last month or so. I've commented in some other thread. Basically, FreeIPA uses a random salt for user principals. As result, if you need to create a keytab manually for a user account, you need to know which salt and kvno value to use along with the password. However, ktutil only allows you to specify a salt manually since MIT Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or CentOS yet.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
record-keytab-for-user.sh
Description: Bourne shell script
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/AAEXMSWXJDBHC3SQYCEUOLTKUF5ILBCT/
