I use ipa-getkeytab to generate key tables for services. It uses a new random password, which is fine.
Normally we don’t generate key tables for users. We have better ways to generate credentials for cron jobs and other non-interactive purposes. However if we need to, kadmin.local on the Kerberos server can extract a key table without touching the password. Within kadmin.local, do ktadd -k KEYTABFILE -norandkey PRINCIPAL The -norandkey is critical. I’m not aware of any way to do this outside kadmin.local. There are a few times when this is really necessary. It’s not a reasonable way to generate key tables for users on a routine basis. The email suggested that you might be trying to do this to kerberize hadoop. Note that Hortonworks has support for IPA, so the wizard for kerberizing the system will set the principals up for you. You have to know the secret place to enable it. With hadoop, as far as I know all authenticate is done with key tables. So you really don’t care what the password is. I would think ipa-getkeytable randomizing the password would be fine. You just need to save the key tables and make sure that if you have the same principal on several hosts you always use the same key table. > On Jun 26, 2018, at 8:40 AM, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Bret Wortman via FreeIPA-users wrote: >> On 06/26/2018 08:19 AM, Rob Crittenden wrote: >>> Bret Wortman via FreeIPA-users wrote: >>>> My ktutil doesn't have "-s" as an option on addent -- is this a >>>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and >>>> ipa-client 4.5.0-22. >>> If you are getting a keytab for yourself (say admin) try this: >>> >>> $ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k >>> /tmp/admin.kt >> This command prompted me for a New Principal Password, so I control-C'd >> out and now I can't "kinit admin" because the password fails. Was this >> command supposed to try to change our admin account password? > > Perhaps depending on your password policy you should be able to re-use > the same password. > > You are basically putting your credentials into a file so you need to > create a new secret. > > rob > >>> $ kdestroy -A >>> $ kinit -kt /tmp/admin.kt admin >>> $ klist >>> Ticket cache: KEYRING:persistent:1000:1000 >>> Default principal: ad...@example.com >>> >>> Valid starting Expires Service principal >>> 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/example....@example.com >>> $ kdestroy -A >>> $ kinit admin >>> <enter password you just set above> >>> $ klist >>> Ticket cache: KEYRING:persistent:1000:1000 >>> Default principal: ad...@example.com >>> >>> Valid starting Expires Service principal >>> 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/example....@example.com >>> >>> I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64 >>> >>> If you want to get a keytab like this for a different user as admin >>> you'll run into password expiration issues which you can work around in >>> other ways (ldapmodify). >>> >>> rob >>> >>>> >>>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote: >>>>> On ti, 26 kesä 2018, Bret Wortman wrote: >>>>>> I found your post, but the paste you made was gone. You don't happen >>>>>> to still have that laying around, do you? >>>>> A script is attached. It may fail in some cases as salt is really a >>>>> random sequence of bytes that might need additional escaping in shell. >>>>> >>>>> >>>>>> >>>>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: >>>>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: >>>>>>>> What's the correct way to create a user keytab? I had done this >>>>>>>> once about 3 years ago and got it working, but can't find my notes >>>>>>>> anywhere. I need to be able to do this in a script: >>>>>>>> >>>>>>>> kinit -k admin -t /root/keytab >>>>>>>> >>>>>>>> I've tried various approaches using ktutil and kadmin but haven't >>>>>>>> had any success just yet. >>>>>>> Review archives of this mailing list for last month or so. I've >>>>>>> commented in some other thread. Basically, FreeIPA uses a random salt >>>>>>> for user principals. As result, if you need to create a keytab >>>>>>> manually >>>>>>> for a user account, you need to know which salt and kvno value to use >>>>>>> along with the password. >>>>>>> >>>>>>> However, ktutil only allows you to specify a salt manually since MIT >>>>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or >>>>>>> CentOS yet. >>>>>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/ >>>> >>>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EXZ7GVF5BGDMZADDLSOKJ7BBVONOY7PV/ >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5ONGSV7J452TP3L6ISG3IY2PLQ3DMZZ4/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IZMMHTNNAQN7IDRKL7PQ6S7O4V3RT35K/
