[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-14 Thread Simo Sorce via FreeIPA-users 
On Mon, 2018-05-14 at 14:44 -0400, Josh via FreeIPA-users wrote:
> On 05/14/2018 01:29 PM, Alexander Bokovoy wrote:
> > Talking with Simo, we realized that since we are using random salt for
> > all IPA principals, you need to know the salt when creating a keytab
> > entry. You only can retrieve that via KRB5_TRACE for kinit like I did in
> > https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since
> > salt is random, it may have characters that aren't clean for a shell
> > use, so your scripting mileage may vary. 
> 
> Thanks a lot! That is helpful. However man page for ktutil has no word 
> for salt:
> 
> add_entry
>    add_entry {-key|-password} -p principal -k kvno -e enctype
> 
> and attempt to add -s option results in invalid usage error.
> 
> usage: addent (-key | -password) -p principal -k kvno -e enctype
> 
> $ rpm -qf /usr/bin/ktutil
> krb5-workstation-1.15.1-8.el7.x86_64

I think -s has been added in 1.16 :-(

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-14 Thread Josh via FreeIPA-users 

On 05/14/2018 01:29 PM, Alexander Bokovoy wrote:

Talking with Simo, we realized that since we are using random salt for
all IPA principals, you need to know the salt when creating a keytab
entry. You only can retrieve that via KRB5_TRACE for kinit like I did in
https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since
salt is random, it may have characters that aren't clean for a shell
use, so your scripting mileage may vary. 
Thanks a lot! That is helpful. However man page for ktutil has no word 
for salt:


add_entry
  add_entry {-key|-password} -p principal -k kvno -e enctype

and attempt to add -s option results in invalid usage error.

usage: addent (-key | -password) -p principal -k kvno -e enctype

$ rpm -qf /usr/bin/ktutil
krb5-workstation-1.15.1-8.el7.x86_64

--
Josh.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-14 Thread Alexander Bokovoy via FreeIPA-users 

On ma, 14 touko 2018, Rob Crittenden via FreeIPA-users wrote:

Josh via FreeIPA-users wrote:

On 05/12/2018 01:53 AM, Alexander Bokovoy wrote:

On pe, 11 touko 2018, Josh wrote:

On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:

On to, 10 touko 2018, Josh via FreeIPA-users wrote:

Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why 
ktutil can't be used as described in 
https://kb.iu.edu/d/aumh?

Does ipa makes ktutil not functional?

Can you show output of

kinit admin
kvno admin
klist -ef

I suspect your admin password did change over time so it has a different
kvno value than what you have used in ktutil's addent (-k 1).



I modified a script posted on https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs 
to create a simple test case:


#!/bin/bash
user=admin
read -sp "${user}'s pass:" pass
echo
kinit $user
KVNO=$(kvno "$user" | awk '{print $NF}')
ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
printf "%b" "addent -password -p $user -k $KVNO -e 
$ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil

printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
kinit -k -t $user.keytab $user


The result when ran from an IPA host is the same error as before: 
kinit: Preauthentication failed while getting initial credentials 
despite the fact that KVNO numbers match.
Could anyone confirm that admin keytab acquired via ipa_getkeytab is 
working and if yes then what is the difference from above method?


ipa-getkeytab works for me, I don't know why ktutil isn't working but 
we do zero testing using this.

Talking with Simo, we realized that since we are using random salt for
all IPA principals, you need to know the salt when creating a keytab
entry. You only can retrieve that via KRB5_TRACE for kinit like I did in
https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since
salt is random, it may have characters that aren't clean for a shell
use, so your scripting mileage may vary.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-14 Thread Rob Crittenden via FreeIPA-users 

Josh via FreeIPA-users wrote:

On 05/12/2018 01:53 AM, Alexander Bokovoy wrote:

On pe, 11 touko 2018, Josh wrote:

On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:

On to, 10 touko 2018, Josh via FreeIPA-users wrote:

Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why ktutil 
can't be used as described in https://kb.iu.edu/d/aumh?

Does ipa makes ktutil not functional?

Can you show output of

kinit admin
kvno admin
klist -ef

I suspect your admin password did change over time so it has a different
kvno value than what you have used in ktutil's addent (-k 1).



I modified a script posted on 
https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs 
to create a simple test case:


#!/bin/bash
user=admin
read -sp "${user}'s pass:" pass
echo
kinit $user
KVNO=$(kvno "$user" | awk '{print $NF}')
ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
printf "%b" "addent -password -p $user -k $KVNO -e 
$ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil

printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
kinit -k -t $user.keytab $user


The result when ran from an IPA host is the same error as before: kinit: 
Preauthentication failed while getting initial credentials despite the 
fact that KVNO numbers match.
Could anyone confirm that admin keytab acquired via ipa_getkeytab is 
working and if yes then what is the difference from above method?


ipa-getkeytab works for me, I don't know why ktutil isn't working but we 
do zero testing using this.


rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-13 Thread Josh via FreeIPA-users 

On 05/12/2018 01:53 AM, Alexander Bokovoy wrote:

On pe, 11 touko 2018, Josh wrote:

On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:

On to, 10 touko 2018, Josh via FreeIPA-users wrote:

Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why ktutil 
can't be used as described in https://kb.iu.edu/d/aumh?

Does ipa makes ktutil not functional?

Can you show output of

kinit admin
kvno admin
klist -ef

I suspect your admin password did change over time so it has a different
kvno value than what you have used in ktutil's addent (-k 1).



I modified a script posted on 
https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-make-keytabs 
to create a simple test case:


#!/bin/bash
user=admin
read -sp "${user}'s pass:" pass
echo
kinit $user
KVNO=$(kvno "$user" | awk '{print $NF}')
ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
printf "%b" "addent -password -p $user -k $KVNO -e 
$ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil

printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
kinit -k -t $user.keytab $user


The result when ran from an IPA host is the same error as before: kinit: 
Preauthentication failed while getting initial credentials despite the 
fact that KVNO numbers match.
Could anyone confirm that admin keytab acquired via ipa_getkeytab is 
working and if yes then what is the difference from above method?


Josh.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-11 Thread Alexander Bokovoy via FreeIPA-users 

On pe, 11 touko 2018, Josh wrote:

On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:

On to, 10 touko 2018, Josh via FreeIPA-users wrote:

Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why ktutil 
can't be used as described in https://kb.iu.edu/d/aumh?

Does ipa makes ktutil not functional?

No, it does not. Without seeing what exactly you did, it is not easy to
help you. Aside from a password, a KVNO value and encryption types
specified when creating a key play important role. If you use wrong
values, the key would be different to what KDC expects.

A message with exact steps "Is being held until the list moderator can 
review it for approval." since 05/09/2018 11:25 PM so I just uploaded 
it to https://pastebin.com/Yp0Yie32

Can you show output of

kinit admin
kvno admin
klist -ef

I suspect your admin password did change over time so it has a different
kvno value than what you have used in ktutil's addent (-k 1).

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-11 Thread Josh via FreeIPA-users 

On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:

On to, 10 touko 2018, Josh via FreeIPA-users wrote:

Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why ktutil 
can't be used as described in https://kb.iu.edu/d/aumh?

Does ipa makes ktutil not functional?

No, it does not. Without seeing what exactly you did, it is not easy to
help you. Aside from a password, a KVNO value and encryption types
specified when creating a key play important role. If you use wrong
values, the key would be different to what KDC expects.

A message with exact steps "Is being held until the list moderator can 
review it for approval." since 05/09/2018 11:25 PM so I just uploaded it 
to https://pastebin.com/Yp0Yie32


--
Josh
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-10 Thread Josh via FreeIPA-users 

On 05/10/2018 02:21 PM, Robbie Harwood wrote:

None via FreeIPA-users  writes:


Josh  writes:


Destroy the keytab.  Recreate using ipa-getkeytab.

I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil
not possible at all? Any technical details about it?

How can you use ktutil but not ipa-getkeytab?  Maybe let's look into
that first.



Server certificate has expired and all ipa utilities fail.
Could you please stay on topic and explain if you can why ktutil can't 
be used as described in https://kb.iu.edu/d/aumh?

Does ipa makes ktutil not functional?
--
Josh
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-10 Thread Robbie Harwood via FreeIPA-users 
None via FreeIPA-users  writes:

>> Josh  writes:
>> 
>> 
>> Destroy the keytab.  Recreate using ipa-getkeytab.
>
> I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil
> not possible at all? Any technical details about it?

How can you use ktutil but not ipa-getkeytab?  Maybe let's look into
that first.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-10 Thread None via FreeIPA-users 
> Josh  writes:
> 
> 
> Destroy the keytab.  Recreate using ipa-getkeytab.

I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil not 
possible at all? Any technical details about it?

Regards,
Josh.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-10 Thread Robbie Harwood via FreeIPA-users 
Josh via FreeIPA-users  writes:

> On 05/10/2018 10:26 AM, Rob Crittenden wrote:
>> Josh via FreeIPA-users wrote:
>>> Greetings,
>>>
>>> I am trying to follow steps at https://kb.iu.edu/d/aumh to create 
>>> freeipa admin keytab to use in some scripts but getting an error
>>>
>>> kinit: Preauthentication failed while getting initial credentials
>>
>> This is usually Kerberos's way of saying "bad password".
>>
>>>
>>> Does anyone know what I am missing here?
>>
>> You are FAR better off using ipa-getkeytab for obtaining keytabs IMHO.
>>
>> Either way were I to guess someone reset the admin password sometime 
>> after getting the keytab which changed the keys.
>
> none changed password because I am the only user.
> any other suggestions to diagnose this process?

Destroy the keytab.  Recreate using ipa-getkeytab.

If that doesn't fix it, please provide both `klist -ek /path/to.keytab`
and `KRB5_TRACE=/dev/stderr kinit -k /path/to.keytab`.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-10 Thread Josh via FreeIPA-users 

On 05/10/2018 10:26 AM, Rob Crittenden wrote:

Josh via FreeIPA-users wrote:

Greetings,

I am trying to follow steps at https://kb.iu.edu/d/aumh to create 
freeipa admin keytab to use in some scripts but getting an error


kinit: Preauthentication failed while getting initial credentials


This is usually Kerberos's way of saying "bad password".



Does anyone know what I am missing here?


You are FAR better off using ipa-getkeytab for obtaining keytabs IMHO.

Either way were I to guess someone reset the admin password sometime 
after getting the keytab which changed the keys.

none changed password because I am the only user.
any other suggestions to diagnose this process?

Josh.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: obtaining initial ticket via keytab

2018-05-10 Thread Rob Crittenden via FreeIPA-users 

Josh via FreeIPA-users wrote:

Greetings,

I am trying to follow steps at https://kb.iu.edu/d/aumh to create 
freeipa admin keytab to use in some scripts but getting an error


kinit: Preauthentication failed while getting initial credentials


This is usually Kerberos's way of saying "bad password".



Does anyone know what I am missing here?


You are FAR better off using ipa-getkeytab for obtaining keytabs IMHO.

Either way were I to guess someone reset the admin password sometime 
after getting the keytab which changed the keys.


rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org