[Freeipa-users] Re: obtaining initial ticket via keytab
On Mon, 2018-05-14 at 14:44 -0400, Josh via FreeIPA-users wrote: > On 05/14/2018 01:29 PM, Alexander Bokovoy wrote: > > Talking with Simo, we realized that since we are using random salt for > > all IPA principals, you need to know the salt when creating a keytab > > entry. You only can retrieve that via KRB5_TRACE for kinit like I did in > > https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since > > salt is random, it may have characters that aren't clean for a shell > > use, so your scripting mileage may vary. > > Thanks a lot! That is helpful. However man page for ktutil has no word > for salt: > > add_entry > add_entry {-key|-password} -p principal -k kvno -e enctype > > and attempt to add -s option results in invalid usage error. > > usage: addent (-key | -password) -p principal -k kvno -e enctype > > $ rpm -qf /usr/bin/ktutil > krb5-workstation-1.15.1-8.el7.x86_64 I think -s has been added in 1.16 :-( Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On 05/14/2018 01:29 PM, Alexander Bokovoy wrote: Talking with Simo, we realized that since we are using random salt for all IPA principals, you need to know the salt when creating a keytab entry. You only can retrieve that via KRB5_TRACE for kinit like I did in https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since salt is random, it may have characters that aren't clean for a shell use, so your scripting mileage may vary. Thanks a lot! That is helpful. However man page for ktutil has no word for salt: add_entry add_entry {-key|-password} -p principal -k kvno -e enctype and attempt to add -s option results in invalid usage error. usage: addent (-key | -password) -p principal -k kvno -e enctype $ rpm -qf /usr/bin/ktutil krb5-workstation-1.15.1-8.el7.x86_64 -- Josh. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On ma, 14 touko 2018, Rob Crittenden via FreeIPA-users wrote: Josh via FreeIPA-users wrote: On 05/12/2018 01:53 AM, Alexander Bokovoy wrote: On pe, 11 touko 2018, Josh wrote: On 05/11/2018 01:19 AM, Alexander Bokovoy wrote: On to, 10 touko 2018, Josh via FreeIPA-users wrote: Server certificate has expired and all ipa utilities fail. Could you please stay on topic and explain if you can why ktutil can't be used as described in https://kb.iu.edu/d/aumh? Does ipa makes ktutil not functional? Can you show output of kinit admin kvno admin klist -ef I suspect your admin password did change over time so it has a different kvno value than what you have used in ktutil's addent (-k 1). I modified a script posted on https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs to create a simple test case: #!/bin/bash user=admin read -sp "${user}'s pass:" pass echo kinit $user KVNO=$(kvno "$user" | awk '{print $NF}') ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}') printf "%b" "addent -password -p $user -k $KVNO -e $ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil kinit -k -t $user.keytab $user The result when ran from an IPA host is the same error as before: kinit: Preauthentication failed while getting initial credentials despite the fact that KVNO numbers match. Could anyone confirm that admin keytab acquired via ipa_getkeytab is working and if yes then what is the difference from above method? ipa-getkeytab works for me, I don't know why ktutil isn't working but we do zero testing using this. Talking with Simo, we realized that since we are using random salt for all IPA principals, you need to know the salt when creating a keytab entry. You only can retrieve that via KRB5_TRACE for kinit like I did in https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since salt is random, it may have characters that aren't clean for a shell use, so your scripting mileage may vary. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
Josh via FreeIPA-users wrote: On 05/12/2018 01:53 AM, Alexander Bokovoy wrote: On pe, 11 touko 2018, Josh wrote: On 05/11/2018 01:19 AM, Alexander Bokovoy wrote: On to, 10 touko 2018, Josh via FreeIPA-users wrote: Server certificate has expired and all ipa utilities fail. Could you please stay on topic and explain if you can why ktutil can't be used as described in https://kb.iu.edu/d/aumh? Does ipa makes ktutil not functional? Can you show output of kinit admin kvno admin klist -ef I suspect your admin password did change over time so it has a different kvno value than what you have used in ktutil's addent (-k 1). I modified a script posted on https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs to create a simple test case: #!/bin/bash user=admin read -sp "${user}'s pass:" pass echo kinit $user KVNO=$(kvno "$user" | awk '{print $NF}') ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}') printf "%b" "addent -password -p $user -k $KVNO -e $ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil kinit -k -t $user.keytab $user The result when ran from an IPA host is the same error as before: kinit: Preauthentication failed while getting initial credentials despite the fact that KVNO numbers match. Could anyone confirm that admin keytab acquired via ipa_getkeytab is working and if yes then what is the difference from above method? ipa-getkeytab works for me, I don't know why ktutil isn't working but we do zero testing using this. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On 05/12/2018 01:53 AM, Alexander Bokovoy wrote: On pe, 11 touko 2018, Josh wrote: On 05/11/2018 01:19 AM, Alexander Bokovoy wrote: On to, 10 touko 2018, Josh via FreeIPA-users wrote: Server certificate has expired and all ipa utilities fail. Could you please stay on topic and explain if you can why ktutil can't be used as described in https://kb.iu.edu/d/aumh? Does ipa makes ktutil not functional? Can you show output of kinit admin kvno admin klist -ef I suspect your admin password did change over time so it has a different kvno value than what you have used in ktutil's addent (-k 1). I modified a script posted on https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs to create a simple test case: #!/bin/bash user=admin read -sp "${user}'s pass:" pass echo kinit $user KVNO=$(kvno "$user" | awk '{print $NF}') ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}') printf "%b" "addent -password -p $user -k $KVNO -e $ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil kinit -k -t $user.keytab $user The result when ran from an IPA host is the same error as before: kinit: Preauthentication failed while getting initial credentials despite the fact that KVNO numbers match. Could anyone confirm that admin keytab acquired via ipa_getkeytab is working and if yes then what is the difference from above method? Josh. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On pe, 11 touko 2018, Josh wrote: On 05/11/2018 01:19 AM, Alexander Bokovoy wrote: On to, 10 touko 2018, Josh via FreeIPA-users wrote: Server certificate has expired and all ipa utilities fail. Could you please stay on topic and explain if you can why ktutil can't be used as described in https://kb.iu.edu/d/aumh? Does ipa makes ktutil not functional? No, it does not. Without seeing what exactly you did, it is not easy to help you. Aside from a password, a KVNO value and encryption types specified when creating a key play important role. If you use wrong values, the key would be different to what KDC expects. A message with exact steps "Is being held until the list moderator can review it for approval." since 05/09/2018 11:25 PM so I just uploaded it to https://pastebin.com/Yp0Yie32 Can you show output of kinit admin kvno admin klist -ef I suspect your admin password did change over time so it has a different kvno value than what you have used in ktutil's addent (-k 1). -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On 05/11/2018 01:19 AM, Alexander Bokovoy wrote: On to, 10 touko 2018, Josh via FreeIPA-users wrote: Server certificate has expired and all ipa utilities fail. Could you please stay on topic and explain if you can why ktutil can't be used as described in https://kb.iu.edu/d/aumh? Does ipa makes ktutil not functional? No, it does not. Without seeing what exactly you did, it is not easy to help you. Aside from a password, a KVNO value and encryption types specified when creating a key play important role. If you use wrong values, the key would be different to what KDC expects. A message with exact steps "Is being held until the list moderator can review it for approval." since 05/09/2018 11:25 PM so I just uploaded it to https://pastebin.com/Yp0Yie32 -- Josh ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On 05/10/2018 02:21 PM, Robbie Harwood wrote: None via FreeIPA-userswrites: Josh writes: Destroy the keytab. Recreate using ipa-getkeytab. I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil not possible at all? Any technical details about it? How can you use ktutil but not ipa-getkeytab? Maybe let's look into that first. Server certificate has expired and all ipa utilities fail. Could you please stay on topic and explain if you can why ktutil can't be used as described in https://kb.iu.edu/d/aumh? Does ipa makes ktutil not functional? -- Josh ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
None via FreeIPA-userswrites: >> Josh writes: >> >> >> Destroy the keytab. Recreate using ipa-getkeytab. > > I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil > not possible at all? Any technical details about it? How can you use ktutil but not ipa-getkeytab? Maybe let's look into that first. Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
> Josh writes: > > > Destroy the keytab. Recreate using ipa-getkeytab. I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil not possible at all? Any technical details about it? Regards, Josh. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
Josh via FreeIPA-userswrites: > On 05/10/2018 10:26 AM, Rob Crittenden wrote: >> Josh via FreeIPA-users wrote: >>> Greetings, >>> >>> I am trying to follow steps at https://kb.iu.edu/d/aumh to create >>> freeipa admin keytab to use in some scripts but getting an error >>> >>> kinit: Preauthentication failed while getting initial credentials >> >> This is usually Kerberos's way of saying "bad password". >> >>> >>> Does anyone know what I am missing here? >> >> You are FAR better off using ipa-getkeytab for obtaining keytabs IMHO. >> >> Either way were I to guess someone reset the admin password sometime >> after getting the keytab which changed the keys. > > none changed password because I am the only user. > any other suggestions to diagnose this process? Destroy the keytab. Recreate using ipa-getkeytab. If that doesn't fix it, please provide both `klist -ek /path/to.keytab` and `KRB5_TRACE=/dev/stderr kinit -k /path/to.keytab`. Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
On 05/10/2018 10:26 AM, Rob Crittenden wrote: Josh via FreeIPA-users wrote: Greetings, I am trying to follow steps at https://kb.iu.edu/d/aumh to create freeipa admin keytab to use in some scripts but getting an error kinit: Preauthentication failed while getting initial credentials This is usually Kerberos's way of saying "bad password". Does anyone know what I am missing here? You are FAR better off using ipa-getkeytab for obtaining keytabs IMHO. Either way were I to guess someone reset the admin password sometime after getting the keytab which changed the keys. none changed password because I am the only user. any other suggestions to diagnose this process? Josh. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: obtaining initial ticket via keytab
Josh via FreeIPA-users wrote: Greetings, I am trying to follow steps at https://kb.iu.edu/d/aumh to create freeipa admin keytab to use in some scripts but getting an error kinit: Preauthentication failed while getting initial credentials This is usually Kerberos's way of saying "bad password". Does anyone know what I am missing here? You are FAR better off using ipa-getkeytab for obtaining keytabs IMHO. Either way were I to guess someone reset the admin password sometime after getting the keytab which changed the keys. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org