On 06/26/2018 08:19 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.
If you are getting a keytab for yourself (say admin) try this:
$ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k /tmp/admin.kt
This command prompted me for a New Principal Password, so I control-C'd
out and now I can't "kinit admin" because the password fails. Was this
command supposed to try to change our admin account password?
$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com
Valid starting Expires Service principal
06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/example....@example.com
$ kdestroy -A
$ kinit admin
<enter password you just set above>
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com
Valid starting Expires Service principal
06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/example....@example.com
I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).
rob
On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't happen
to still have that laying around, do you?
A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.
On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this
once about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:
kinit -k admin -t /root/keytab
I've tried various approaches using ktutil and kadmin but haven't
had any success just yet.
Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EXZ7GVF5BGDMZADDLSOKJ7BBVONOY7PV/
