[Freeipa-users] Re: keytab usage?
Simo Sorce via FreeIPA-users wrote: > On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote: >> Never mind -- if I use ipa-getkeytab, it works perfectly. >> >> What is the difference between what getkeytab and ktutil by hand >> does? >> Is it documented? > > In FreeIPA we generate a random salt instead of using the old > "principal name as salt". ktutil depends on using the "principal name > as salt" to generate correct keys, so it fails to create a valid key. I wonder if we should make a goal of documenting what works with ktutil/kadmin and what doesn't so at least if/when things blow up we can point them to a page. Existing experience with Kerberos can be handy to understand how IPA fits together but it's a double-edged sword since the usual tool workflow generally doesn't translate well. This doesn't come up super-often so maybe we can just point to the users list. I'd like to avoid creating another ticket that lives forever though. rob > > Simo. > >> -K >> >> >> On 6/5/17 9:18 AM, Kat wrote: >>> Ok, I guess I am not understanding something here. What am I >>> missing? >>> The PW is correct, but no matter what I do, I can't use the keytab >>> file for a user as shown below: >>> >>> [root@ipa ~]# ktutil >>> ktutil: addent -password -p cyb...@example.com -k 1 -e >>> aes256-cts-hmac-sha1-96 >>> Password for cyb...@example.com: >>> ktutil: wkt /root/cyberj.keytab >>> ktutil: q >>> >>> [root@ipa ~]# kinit -k -t cyberj.keytab cyb...@example.com >>> kinit: Password incorrect while getting initial credentials >>> >>> :-( >>> >>> -K >>> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste >> d.org > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: keytab usage?
On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote: > Never mind -- if I use ipa-getkeytab, it works perfectly. > > What is the difference between what getkeytab and ktutil by hand > does? > Is it documented? In FreeIPA we generate a random salt instead of using the old "principal name as salt". ktutil depends on using the "principal name as salt" to generate correct keys, so it fails to create a valid key. Simo. > -K > > > On 6/5/17 9:18 AM, Kat wrote: > > Ok, I guess I am not understanding something here. What am I > > missing? > > The PW is correct, but no matter what I do, I can't use the keytab > > file for a user as shown below: > > > > [root@ipa ~]# ktutil > > ktutil: addent -password -p cyb...@example.com -k 1 -e > > aes256-cts-hmac-sha1-96 > > Password for cyb...@example.com: > > ktutil: wkt /root/cyberj.keytab > > ktutil: q > > > > [root@ipa ~]# kinit -k -t cyberj.keytab cyb...@example.com > > kinit: Password incorrect while getting initial credentials > > > > :-( > > > > -K > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste > d.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: keytab usage?
I think your kinit is a little wrong. Try this: kinit -k /root/cyberj.keytab cyb...@example.com Otherwise, trace it and you might find out more: KRB5_TRACE=/dev/stdout kinit -k -t cyberj.keytab cyb...@example.com On 06/05/2017 10:18 AM, Kat via FreeIPA-users wrote: Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below: [root@ipa ~]# ktutil ktutil: addent -password -p cyb...@example.com -k 1 -e aes256-cts-hmac-sha1-96 Password for cyb...@example.com: ktutil: wkt /root/cyberj.keytab ktutil: q [root@ipa ~]# kinit -k -t cyberj.keytab cyb...@example.com kinit: Password incorrect while getting initial credentials :-( -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: keytab usage?
Never mind -- if I use ipa-getkeytab, it works perfectly. What is the difference between what getkeytab and ktutil by hand does? Is it documented? -K On 6/5/17 9:18 AM, Kat wrote: Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below: [root@ipa ~]# ktutil ktutil: addent -password -p cyb...@example.com -k 1 -e aes256-cts-hmac-sha1-96 Password for cyb...@example.com: ktutil: wkt /root/cyberj.keytab ktutil: q [root@ipa ~]# kinit -k -t cyberj.keytab cyb...@example.com kinit: Password incorrect while getting initial credentials :-( -K ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org