[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

[Alexander Bokovoy via FreeIPA-users]

On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:

In centos 8, the man page for ktuil says 1.16.1. -f isn’t in the man
page nor does it work. yum also shows the version of 1.16.1.

-s is there but not -f. When I tried it without -f the resulting key
table didn’t work.

Because you need to specify salt. To find it out without '-f', you need
to use Kerberos tracing in kinit to see the salt. Below is a script I
made some time ago that automates it but since salt and key can be
anything, it might fail escaping characters too.

------------------------
#!/bin/bash
if test $# -ne 1 ; then
echo "$0 <username>"
exit 1
fi

user=$1
read -sp "${user}'s pass:" pass
echo
salt=$(printf "%b" "$pass\n" | KRB5_TRACE=/dev/stdout kinit $user|grep salt|cut -d, 
-f2|head -1|cut -d\" -f2-)
KVNO=$(kvno "$user" | awk '{print $NF}')
ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
printf "%b" "addent -password -p $user -k $KVNO -e $ETYPE -s 
\"$salt\n$pass\nwrite_kt $user.keytab" | ktutil
printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
kinit -k -t $user.keytab $user
------------------------

I think it was published in this mailing list already at least once.

Ubuntu 20.4 will be out shortly. Hopefully Centos 8.x will include 17. But for 
the moment this isn’t a realistic solution.

On Nov 22, 2019, at 2:04 PM, Alexander Bokovoy 
<aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote:

Actually, I did check of the source code commits in upstream MIT
Kerberos and I attributed it wrongly. '-f' is part of 1.17 release and
'-s' is in 1.16 release. So, it should be in RHEL 8.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org