Bret Wortman via FreeIPA-users wrote: > On 06/26/2018 08:19 AM, Rob Crittenden wrote: >> Bret Wortman via FreeIPA-users wrote: >>> My ktutil doesn't have "-s" as an option on addent -- is this a >>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and >>> ipa-client 4.5.0-22. >> If you are getting a keytab for yourself (say admin) try this: >> >> $ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k >> /tmp/admin.kt > This command prompted me for a New Principal Password, so I control-C'd > out and now I can't "kinit admin" because the password fails. Was this > command supposed to try to change our admin account password?
Perhaps depending on your password policy you should be able to re-use the same password. You are basically putting your credentials into a file so you need to create a new secret. rob >> $ kdestroy -A >> $ kinit -kt /tmp/admin.kt admin >> $ klist >> Ticket cache: KEYRING:persistent:1000:1000 >> Default principal: ad...@example.com >> >> Valid starting Expires Service principal >> 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/example....@example.com >> $ kdestroy -A >> $ kinit admin >> <enter password you just set above> >> $ klist >> Ticket cache: KEYRING:persistent:1000:1000 >> Default principal: ad...@example.com >> >> Valid starting Expires Service principal >> 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/example....@example.com >> >> I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64 >> >> If you want to get a keytab like this for a different user as admin >> you'll run into password expiration issues which you can work around in >> other ways (ldapmodify). >> >> rob >> >>> >>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote: >>>> On ti, 26 kesä 2018, Bret Wortman wrote: >>>>> I found your post, but the paste you made was gone. You don't happen >>>>> to still have that laying around, do you? >>>> A script is attached. It may fail in some cases as salt is really a >>>> random sequence of bytes that might need additional escaping in shell. >>>> >>>> >>>>> >>>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: >>>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: >>>>>>> What's the correct way to create a user keytab? I had done this >>>>>>> once about 3 years ago and got it working, but can't find my notes >>>>>>> anywhere. I need to be able to do this in a script: >>>>>>> >>>>>>> kinit -k admin -t /root/keytab >>>>>>> >>>>>>> I've tried various approaches using ktutil and kadmin but haven't >>>>>>> had any success just yet. >>>>>> Review archives of this mailing list for last month or so. I've >>>>>> commented in some other thread. Basically, FreeIPA uses a random salt >>>>>> for user principals. As result, if you need to create a keytab >>>>>> manually >>>>>> for a user account, you need to know which salt and kvno value to use >>>>>> along with the password. >>>>>> >>>>>> However, ktutil only allows you to specify a salt manually since MIT >>>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or >>>>>> CentOS yet. >>>>>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/ >>> >>> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EXZ7GVF5BGDMZADDLSOKJ7BBVONOY7PV/ > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5ONGSV7J452TP3L6ISG3IY2PLQ3DMZZ4/