On 09/16/2011 02:26 PM, Jimmy wrote: > I can create a keytab using ipa-getkeytab for any entity, say for > instance a user, and store a password in the keytab but as soon as the > user attempts to kinit with the set password it expires and must be > changed. Is this happening with the host(workstation) entities?
Are you using latest hand built IPA from the master? There is a bug about passwords being expired. A more stable version is available from Fedora if you are using Fedora or from 2.1 branch. > > On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <[email protected] > <mailto:[email protected]>> wrote: > > When I do not specify the encryption type it does put them all in > in a single go. I just was attempting to eliminate the other types > in case that was creating a problem. The system defaults to type > x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. > > [root@csp-idm etc]# klist -kte krb5.keytab.sys1 > Keytab name: WRFILE:krb5.keytab.sys1 > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 6 09/16/11 13:40:03 host/[email protected] > (aes256-cts-hmac-sha1-96) > 6 09/16/11 13:40:03 host/[email protected] > (aes128-cts-hmac-sha1-96) > 6 09/16/11 13:40:04 host/[email protected] (des3-cbc-sha1) > 6 09/16/11 13:40:04 host/[email protected] (arcfour-hmac) > > > On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <[email protected] > <mailto:[email protected]>> wrote: > > On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab > > -P [entering into the main keytab /etc/krb5.keytab] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab.sys1 -P [entering into a new keytab > krb5.keytab.sys1] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > > > This is not how it works. > You must define all types in one single go. > Every time you invoke ipa-getkeytab for a principal you are > discarding > any previous key in the KDC, and only the last one is available. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
