When I do not specify the encryption type it does put them all in in a
single go. I just was attempting to eliminate the other types in case that
was creating a problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.

[root@csp-idm etc]# klist -kte krb5.keytab.sys1
Keytab name: WRFILE:krb5.keytab.sys1
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
6 09/16/11 13:40:03 host/ews1-cybsec.pdh....@pdh.csp(aes256-cts-hmac-sha1-96)
6 09/16/11 13:40:03 host/ews1-cybsec.pdh....@pdh.csp(aes128-cts-hmac-sha1-96)
6 09/16/11 13:40:04 host/ews1-cybsec.pdh....@pdh.csp (des3-cbc-sha1)
6 09/16/11 13:40:04 host/ews1-cybsec.pdh....@pdh.csp (arcfour-hmac)


On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <s...@redhat.com> wrote:

> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> > krb5.keytab
> > -P            [entering into the main keytab /etc/krb5.keytab]
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> > krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
> >
>
> This is not how it works.
> You must define all types in one single go.
> Every time you invoke ipa-getkeytab for a principal you are discarding
> any previous key in the KDC, and only the last one is available.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to