subject:"\[Freeipa\-users\] Re\: Creating a user keytab"

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Rob Crittenden via FreeIPA-users

Bret Wortman via FreeIPA-users wrote:
> On 06/26/2018 08:19 AM, Rob Crittenden wrote:
>> Bret Wortman via FreeIPA-users wrote:
>>> My ktutil doesn't have "-s" as an option on addent -- is this a
>>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
>>> ipa-client 4.5.0-22.
>> If you are getting a keytab for yourself (say admin) try this:
>>
>> $ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k
>> /tmp/admin.kt
> This command prompted me for a New Principal Password, so I control-C'd
> out and now I can't "kinit admin" because the password fails. Was this
> command supposed to try to change our admin account password?

Perhaps depending on your password policy you should be able to re-use
the same password.

You are basically putting your credentials into a file so you need to
create a new secret.

rob

>> $ kdestroy -A
>> $ kinit -kt /tmp/admin.kt admin
>> $ klist
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: ad...@example.com
>>
>> Valid starting   Expires  Service principal
>> 06/26/2018 08:17:07  06/27/2018 08:17:07  krbtgt/example@example.com
>> $ kdestroy -A
>> $ kinit admin
>> 
>> $ klist
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: ad...@example.com
>>
>> Valid starting   Expires  Service principal
>> 06/26/2018 08:18:41  06/27/2018 08:18:39  krbtgt/example@example.com
>>
>> I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
>>
>> If you want to get a keytab like this for a different user as admin
>> you'll run into password expiration issues which you can work around in
>> other ways (ldapmodify).
>>
>> rob
>>
>>>
>>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
 On ti, 26 kesä 2018, Bret Wortman wrote:
> I found your post, but the paste you made was gone. You don't happen
> to still have that laying around, do you?
 A script is attached. It may fail in some cases as salt is really a
 random sequence of bytes that might need additional escaping in shell.


>
> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>> What's the correct way to create a user keytab? I had done this
>>> once about 3 years ago and got it working, but can't find my notes
>>> anywhere. I need to be able to do this in a script:
>>>
>>>     kinit -k admin -t /root/keytab
>>>
>>> I've tried various approaches using ktutil and kadmin but haven't
>>> had any success just yet.
>> Review archives of this mailing list for last month or so. I've
>> commented in some other thread. Basically, FreeIPA uses a random salt
>> for user principals. As result, if you need to create a keytab
>> manually
>> for a user account, you need to know which salt and kvno value to use
>> along with the password.
>>
>> However, ktutil only allows you to specify a salt manually since MIT
>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>> CentOS yet.
>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/
>>>
>>>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EXZ7GVF5BGDMZADDLSOKJ7BBVONOY7PV/
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5ONGSV7J452TP3L6ISG3IY2PLQ3DMZZ4/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

Okay, the directions worked fine except that by aborting, I necessitated 
a change to our admin password. The other SAs will hate me now, but 
that's a livable consequence.


I now have a keytab that does what I need it to. Thanks, Rob and Alexander!


On 06/26/2018 08:33 AM, Bret Wortman via FreeIPA-users wrote:

On 06/26/2018 08:19 AM, Rob Crittenden wrote:

Bret Wortman via FreeIPA-users wrote:

My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.

If you are getting a keytab for yourself (say admin) try this:

$ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k 
/tmp/admin.kt
This command prompted me for a New Principal Password, so I 
control-C'd out and now I can't "kinit admin" because the password 
fails. Was this command supposed to try to change our admin account 
password?

$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com

Valid starting   Expires  Service principal
06/26/2018 08:17:07  06/27/2018 08:17:07 krbtgt/example@example.com
$ kdestroy -A
$ kinit admin

$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com

Valid starting   Expires  Service principal
06/26/2018 08:18:41  06/27/2018 08:18:39 krbtgt/example@example.com

I tested this on an old install I had, 
freeipa-server-4.4.4-1.fc25.x86_64


If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).

rob



On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:

I found your post, but the paste you made was gone. You don't happen
to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.




On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:

What's the correct way to create a user keytab? I had done this
once about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:

    kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't
had any success just yet.

Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random 
salt
for user principals. As result, if you need to create a keytab 
manually
for a user account, you need to know which salt and kvno value to 
use

along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in 
RHEL or

CentOS yet.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/ 




___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EXZ7GVF5BGDMZADDLSOKJ7BBVONOY7PV/

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZXRIBJVFJQIVAUYZZOU4L7IAE2PTQFG5/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users


On 06/26/2018 08:19 AM, Rob Crittenden wrote:

Bret Wortman via FreeIPA-users wrote:

My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.

If you are getting a keytab for yourself (say admin) try this:

$ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k /tmp/admin.kt
This command prompted me for a New Principal Password, so I control-C'd 
out and now I can't "kinit admin" because the password fails. Was this 
command supposed to try to change our admin account password?

$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com

Valid starting   Expires  Service principal
06/26/2018 08:17:07  06/27/2018 08:17:07  krbtgt/example@example.com
$ kdestroy -A
$ kinit admin

$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com

Valid starting   Expires  Service principal
06/26/2018 08:18:41  06/27/2018 08:18:39  krbtgt/example@example.com

I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64

If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).

rob



On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:

I found your post, but the paste you made was gone. You don't happen
to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.




On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:

What's the correct way to create a user keytab? I had done this
once about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:

    kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't
had any success just yet.

Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EXZ7GVF5BGDMZADDLSOKJ7BBVONOY7PV/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Alexander Bokovoy via FreeIPA-users

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
Ahhh. I get it now. So basically this isn't possible today. Do you
have any insight into when we might see it?

Follow Rob's suggestion -- if you know a user's password, you can use
ipa-getkeytab with -P (ask for password) and it should work too.

On 06/26/2018 08:26 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:
My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8
and ipa-client 4.5.0-22.

I said this in the original answer:
---
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
---

On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't
happen to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.

On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done
this once about 3 years ago and got it working, but can't
find my notes anywhere. I need to be able to do this in a
script:

kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but
haven't had any success just yet.

for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MIF3H5QZKZL4QDOUOASSLUVB7EW3F37C/

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/DIBJ4XI4N77Q4EG3X4H5C3IRUTL7YN3O/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

Ahhh. I get it now. So basically this isn't possible today. Do you have
any insight into when we might see it?

On 06/26/2018 08:26 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:
My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.

I said this in the original answer:
---
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
---

On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't
happen to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.

On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this
once about 3 years ago and got it working, but can't find my
notes anywhere. I need to be able to do this in a script:

kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't
had any success just yet.

for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Alexander Bokovoy via FreeIPA-users

On ti, 26 kesä 2018, Bret Wortman wrote:
My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.

I said this in the original answer:
---
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
---

On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't
happen to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.

On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done
this once about 3 years ago and got it working, but can't find
my notes anywhere. I need to be able to do this in a script:

kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but
haven't had any success just yet.

Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Rob Crittenden via FreeIPA-users

Bret Wortman via FreeIPA-users wrote:
> My ktutil doesn't have "-s" as an option on addent -- is this a
> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
> ipa-client 4.5.0-22.

If you are getting a keytab for yourself (say admin) try this:

$ ipa-getkeytab -s ipa.example.com -p ad...@example.com -P -k /tmp/admin.kt
$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com

Valid starting   Expires  Service principal
06/26/2018 08:17:07  06/27/2018 08:17:07  krbtgt/example@example.com
$ kdestroy -A
$ kinit admin

$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@example.com

Valid starting   Expires  Service principal
06/26/2018 08:18:41  06/27/2018 08:18:39  krbtgt/example@example.com

I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64

If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).

rob

> 
> 
> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>> I found your post, but the paste you made was gone. You don't happen
>>> to still have that laying around, do you?
>> A script is attached. It may fail in some cases as salt is really a
>> random sequence of bytes that might need additional escaping in shell.
>>
>>
>>>
>>>
>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
 On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
> What's the correct way to create a user keytab? I had done this
> once about 3 years ago and got it working, but can't find my notes
> anywhere. I need to be able to do this in a script:
>
>    kinit -k admin -t /root/keytab
>
> I've tried various approaches using ktutil and kadmin but haven't
> had any success just yet.
 Review archives of this mailing list for last month or so. I've
 commented in some other thread. Basically, FreeIPA uses a random salt
 for user principals. As result, if you need to create a keytab manually
 for a user account, you need to know which salt and kvno value to use
 along with the password.

 However, ktutil only allows you to specify a salt manually since MIT
 Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
 CentOS yet.

>>>
>>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7H7CLT3W2WWER7WNGYTR4OWYP4BOMZEL/
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/F3DYZYMZDSQLAOMPTVZAHO5XHO37RGVY/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.

On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't happen
to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.

On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this
once about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:

kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't
had any success just yet.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Alexander Bokovoy via FreeIPA-users

On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't happen
to still have that laying around, do you?

A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.

On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this
once about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:

kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't
had any success just yet.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

record-keytab-for-user.sh
Description: Bourne shell script
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AAEXMSWXJDBHC3SQYCEUOLTKUF5ILBCT/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

The post of yours that I located and which looked promising is here, to
save you some searching:

https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/V6ZCBJS7Q3ASTTHSNYZADOEOAUCXANB

On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this once
about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:

kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't had
any success just yet.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

I found your post, but the paste you made was gone. You don't happen to 
still have that laying around, do you?



On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this once 
about 3 years ago and got it working, but can't find my notes 
anywhere. I need to be able to do this in a script:


   kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't had 
any success just yet.

Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QTXHD2TZQFBXS2SIB2J5ZHPYN2N4A7SS/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

Okay. I may have done this under Fedora before, then. I'll go back and 
search the archives.


Thanks, Alexander!


On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:

On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this once 
about 3 years ago and got it working, but can't find my notes 
anywhere. I need to be able to do this in a script:


   kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't had 
any success just yet.

Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2JSACX7LTDUG266LWX7MD3XQHVJN435I/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Alexander Bokovoy via FreeIPA-users


On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this once 
about 3 years ago and got it working, but can't find my notes 
anywhere. I need to be able to do this in a script:


   kinit -k admin -t /root/keytab

I've tried various approaches using ktutil and kadmin but haven't had 
any success just yet.

Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.

However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4TX7N7AR4MDZNEGJDVEBEOPMKKWOIFRJ/

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Tony Brian Albers via FreeIPA-users

We sometimes use this:

kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs

If we want to do stuff as the hdfs user.

HTH

/tony


On 2018-06-26 12:33, Bret Wortman via FreeIPA-users wrote:
> What's the correct way to create a user keytab? I had done this once 
> about 3 years ago and got it working, but can't find my notes anywhere. 
> I need to be able to do this in a script:
> 
>     kinit -k admin -t /root/keytab
> 
> I've tried various approaches using ktutil and kadmin but haven't had 
> any success just yet.
> 
> 
> -- 
> photo 
>   
> *Bret Wortman*
> Founder, Damascus Products, LLC
> 
> 855-644-2783  | b...@wrapbuddies.co 
> 
> 
> http://wrapbuddies.co/
> 
> 10332 Main St Suite 319 Fairfax, VA 22030
> 
>    
>   
>     
>     
> 
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7BCKXYTHGHPKY6LMG5JAH4VA67ZSUH3V/
> 


-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TGRJZ2MD7MZAVZQQO3KTFGJTYTJYLZ3G/

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

[Freeipa-users] Re: Creating a user keytab

14 matches

Site Navigation

Mail list logo

Footer information