Re: [Freeipa-users] Strange klist output
On 02/25/2012 07:53 AM, Marco Pizzoli wrote: Hi, as you know I'm working with FreeIPA 2.1.90. By following documentation I checked my tickets by issuing the klist command but I'm obtaining an output slightly different than the one on the doc. [root@freeipa01 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it mailto:freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it mailto:freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it mailto:freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it mailto:freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it mailto:freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it mailto:freeipa01.unix.mydomain...@unix.mydomain.it I see 6 rows as duplicated. Is it normal? Please, could you explain what is happening? I believe that is due to the new s4u2proxy kerberos implmentation, I've seen it too while testing with s4u2proxy. Unfortunately I cannot explain it either and would love for one of our Kerberos gurus to provide an explanation. John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange klist output
On Sat, Feb 25, 2012 at 3:20 PM, Simo Sorce s...@redhat.com wrote: On Sat, 2012-02-25 at 13:53 +0100, Marco Pizzoli wrote: Hi, as you know I'm working with FreeIPA 2.1.90. By following documentation I checked my tickets by issuing the klist command but I'm obtaining an output slightly different than the one on the doc. [root@freeipa01 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it I see 6 rows as duplicated. Is it normal? Please, could you explain what is happening? Use -e to see what enctypes are reported. [root@freeipa01 ~]# klist -kt /etc/krb5.keytab -e Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(aes256-cts-hmac-sha1-96) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(aes128-cts-hmac-sha1-96) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(des3-cbc-sha1) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(arcfour-hmac) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(des-hmac-sha1) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(des-cbc-md5) Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange klist output
On 02/25/2012 09:20 AM, Simo Sorce wrote: Use -e to see what enctypes are reported. Is this difference in any way related to s4u2proxy or did the extra enctypes show up because we upgraded Kerberos and picked up other unrelated behavior at the same time. Why do we now have all these enctypes? Is it to satify forwarding/proxy when you don't know a prori which enctype the foreign endpoint will require? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange klist output
On Sat, 2012-02-25 at 09:35 -0500, John Dennis wrote: On 02/25/2012 09:20 AM, Simo Sorce wrote: Use -e to see what enctypes are reported. Is this difference in any way related to s4u2proxy or did the extra enctypes show up because we upgraded Kerberos and picked up other unrelated behavior at the same time. No, the contents of the keytab have nothing to do with day to day operations. Tickets and TGTs are stored in your ccache. Why do we now have all these enctypes? Is it to satify forwarding/proxy when you don't know a prori which enctype the foreign endpoint will require? Because in kerberos each principal can have multiple keys, generally one per supported (by the KDC) enctype. This is so that a client can use the strongest enctype it has crypto support for. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange klist output
On 02/25/2012 09:40 AM, Simo Sorce wrote: Why do we now have all these enctypes? Is it to satify forwarding/proxy when you don't know a prori which enctype the foreign endpoint will require? Because in kerberos each principal can have multiple keys, generally one per supported (by the KDC) enctype. This is so that a client can use the strongest enctype it has crypto support for. Sure, that makes sense. But this is new behavior, what changed? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange klist output
John Dennis wrote: On 02/25/2012 09:40 AM, Simo Sorce wrote: Why do we now have all these enctypes? Is it to satify forwarding/proxy when you don't know a prori which enctype the foreign endpoint will require? Because in kerberos each principal can have multiple keys, generally one per supported (by the KDC) enctype. This is so that a client can use the strongest enctype it has crypto support for. Sure, that makes sense. But this is new behavior, what changed? Nothing, it has always worked this way. These days you'll only see 4 enctypes as DES is disabled by default. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
