On Tue, 02 Dec 2014 12:08:24 +0100
Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
> > On Mon, 01 Dec 2014 11:53:11 +0100
> > Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
> >> Hi,
> >> Server: FreeIPA 3.3.5, Fedora 20
> >> Client: Ubuntu 14.04
> >> ipa-getkeytab -s freeipaserver -p principal@REALM -k
> >> /tmp/principal.keytab -e des3-hmac-sha1 -P
> >> only results in:
> >> klist -k /tmp/principal.keytab -e
> >> Keytab name: FILE:/tmp/principal.keytab
> >> KVNO Principal
> > The 2 enctypes are equivalent and can be interchanged afaik.
> > Simo.
> Another question: Is it possible to generate keys with no salt instead
> of Version 5 (normal) salt ?
> I want to generate a des3 key with no salt:
> ipa-getkeytab -s freeipaserver -p principal@REALM -k
> /tmp/principal.keytab -e des3-hmac-sha1:v4 -P
> The answer is:
> Bad or unsupported salt type.
> Failed to create key material
> I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf
This works for me without needing to configure anything with Freeipa
4.1 ... probably because it uses the new getkeytab control and key
generation is done on the server side.
... and I looked at the ipa-getkeytab.c code and it appears we do not
support using the v4 salt type in ipa-getkeytab with the older protocol
code which is the one used with ipa < 4.x
I am not exactly sure why we don't, I have a comment in the code that
explicitly calls out SALTTYPE_V4 as not supported, explaining we do not
support krb v4 though.
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project