I can create a keytab using ipa-getkeytab for any entity, say for instance a user, and store a password in the keytab but as soon as the user attempts to kinit with the set password it expires and must be changed. Is this happening with the host(workstation) entities?
On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <g17ji...@gmail.com> wrote: > When I do not specify the encryption type it does put them all in in a > single go. I just was attempting to eliminate the other types in case that > was creating a problem. The system defaults to type x18 > (aes256-cts-hmac-sha1-96). Thanks for your help on this. > > [root@csp-idm etc]# klist -kte krb5.keytab.sys1 > Keytab name: WRFILE:krb5.keytab.sys1 > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 6 09/16/11 13:40:03 host/ews1-cybsec.pdh....@pdh.csp(aes256-cts-hmac-sha1-96) > 6 09/16/11 13:40:03 host/ews1-cybsec.pdh....@pdh.csp(aes128-cts-hmac-sha1-96) > 6 09/16/11 13:40:04 host/ews1-cybsec.pdh....@pdh.csp (des3-cbc-sha1) > 6 09/16/11 13:40:04 host/ews1-cybsec.pdh....@pdh.csp (arcfour-hmac) > > > On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <s...@redhat.com> wrote: > >> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k >> > krb5.keytab >> > -P [entering into the main keytab /etc/krb5.keytab] >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k >> > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P >> > >> >> This is not how it works. >> You must define all types in one single go. >> Every time you invoke ipa-getkeytab for a principal you are discarding >> any previous key in the KDC, and only the last one is available. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
