Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
On Mon, 01 Dec 2014 11:53:11 +0100 Andreas Ladanyi andreas.lada...@kit.edu wrote: Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal The 2 enctypes are equivalent and can be interchanged afaik. Simo. Ok. Another question: Is it possible to generate keys with no salt instead of Version 5 (normal) salt ? I want to generate a des3 key with no salt: ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1:v4 -P The answer is: Bad or unsupported salt type. Failed to create key material I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
On Tue, 02 Dec 2014 12:08:24 +0100 Andreas Ladanyi andreas.lada...@kit.edu wrote: On Mon, 01 Dec 2014 11:53:11 +0100 Andreas Ladanyi andreas.lada...@kit.edu wrote: Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal The 2 enctypes are equivalent and can be interchanged afaik. Simo. Ok. Another question: Is it possible to generate keys with no salt instead of Version 5 (normal) salt ? I want to generate a des3 key with no salt: ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1:v4 -P The answer is: Bad or unsupported salt type. Failed to create key material I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf This works for me without needing to configure anything with Freeipa 4.1 ... probably because it uses the new getkeytab control and key generation is done on the server side. ... and I looked at the ipa-getkeytab.c code and it appears we do not support using the v4 salt type in ipa-getkeytab with the older protocol code which is the one used with ipa 4.x I am not exactly sure why we don't, I have a comment in the code that explicitly calls out SALTTYPE_V4 as not supported, explaining we do not support krb v4 though. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal -- 5 principal@REALM (des3-cbc-sha1) /var/kerberos/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 restrict_anonymous_to_tgt = true [realms] REALM = { master_key_type = aes256-cts max_life = 7d max_renewable_life = 14d acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words default_principal_flags = +preauth ; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:v4 des3-hmac-sha1:normal } I added the des3-hmac-sha1:normal entry in supported_enctypes parameter. There is also an attributes entry krbDefaultEncSaltTypes and krbSupportedEncSaltTypes with the value des3-hmac-sha1:normal in 389 LDAP. cheers, Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
On Mon, 01 Dec 2014 11:53:11 +0100 Andreas Ladanyi andreas.lada...@kit.edu wrote: Hi, Server: FreeIPA 3.3.5, Fedora 20 Client: Ubuntu 14.04 ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1 -P only results in: klist -k /tmp/principal.keytab -e Keytab name: FILE:/tmp/principal.keytab KVNO Principal The 2 enctypes are equivalent and can be interchanged afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project