Bret Wortman via FreeIPA-users wrote: > My ktutil doesn't have "-s" as an option on addent -- is this a > version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and > ipa-client 4.5.0-22.
If you are getting a keytab for yourself (say admin) try this: $ ipa-getkeytab -s ipa.example.com -p [email protected] -P -k /tmp/admin.kt $ kdestroy -A $ kinit -kt /tmp/admin.kt admin $ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: [email protected] Valid starting Expires Service principal 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/[email protected] $ kdestroy -A $ kinit admin <enter password you just set above> $ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: [email protected] Valid starting Expires Service principal 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/[email protected] I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64 If you want to get a keytab like this for a different user as admin you'll run into password expiration issues which you can work around in other ways (ldapmodify). rob > > > On 06/26/2018 07:30 AM, Alexander Bokovoy wrote: >> On ti, 26 kesä 2018, Bret Wortman wrote: >>> I found your post, but the paste you made was gone. You don't happen >>> to still have that laying around, do you? >> A script is attached. It may fail in some cases as salt is really a >> random sequence of bytes that might need additional escaping in shell. >> >> >>> >>> >>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: >>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: >>>>> What's the correct way to create a user keytab? I had done this >>>>> once about 3 years ago and got it working, but can't find my notes >>>>> anywhere. I need to be able to do this in a script: >>>>> >>>>> kinit -k admin -t /root/keytab >>>>> >>>>> I've tried various approaches using ktutil and kadmin but haven't >>>>> had any success just yet. >>>> Review archives of this mailing list for last month or so. I've >>>> commented in some other thread. Basically, FreeIPA uses a random salt >>>> for user principals. As result, if you need to create a keytab manually >>>> for a user account, you need to know which salt and kvno value to use >>>> along with the password. >>>> >>>> However, ktutil only allows you to specify a salt manually since MIT >>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or >>>> CentOS yet. >>>> >>> >> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/ > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/F3DYZYMZDSQLAOMPTVZAHO5XHO37RGVY/
