subject:"\[Freeipa\-users\] ipa\-getkeytab \-e des3\-hmac\-sha1 doesnt work"

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-02 Thread Andreas Ladanyi

 On Mon, 01 Dec 2014 11:53:11 +0100
 Andreas Ladanyi andreas.lada...@kit.edu wrote:

 Hi,

 Server: FreeIPA 3.3.5, Fedora 20
 Client: Ubuntu 14.04

 ipa-getkeytab -s freeipaserver -p principal@REALM  -k
 /tmp/principal.keytab -e des3-hmac-sha1 -P

 only results in:

 klist -k /tmp/principal.keytab -e
 Keytab name: FILE:/tmp/principal.keytab
 KVNO Principal
 The 2 enctypes are equivalent and can be interchanged afaik.

 Simo.

Ok.

Another question: Is it possible to generate keys with no salt instead
of Version 5 (normal) salt ?

I want to generate a des3 key with no salt:

ipa-getkeytab -s freeipaserver -p principal@REALM -k
/tmp/principal.keytab -e des3-hmac-sha1:v4 -P

The answer is:

Bad or unsupported salt type.
Failed to create key material

I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf


Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-02 Thread Simo Sorce

On Tue, 02 Dec 2014 12:08:24 +0100
Andreas Ladanyi andreas.lada...@kit.edu wrote:

  On Mon, 01 Dec 2014 11:53:11 +0100
  Andreas Ladanyi andreas.lada...@kit.edu wrote:
 
  Hi,
 
  Server: FreeIPA 3.3.5, Fedora 20
  Client: Ubuntu 14.04
 
  ipa-getkeytab -s freeipaserver -p principal@REALM  -k
  /tmp/principal.keytab -e des3-hmac-sha1 -P
 
  only results in:
 
  klist -k /tmp/principal.keytab -e
  Keytab name: FILE:/tmp/principal.keytab
  KVNO Principal
  The 2 enctypes are equivalent and can be interchanged afaik.
 
  Simo.
 
 Ok.
 
 Another question: Is it possible to generate keys with no salt instead
 of Version 5 (normal) salt ?
 
 I want to generate a des3 key with no salt:
 
 ipa-getkeytab -s freeipaserver -p principal@REALM -k
 /tmp/principal.keytab -e des3-hmac-sha1:v4 -P
 
 The answer is:
 
 Bad or unsupported salt type.
 Failed to create key material
 
 I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf

This works for me without needing to configure anything with Freeipa
4.1 ... probably because it uses the new getkeytab control and key
generation is done on the server side.

... and I looked at the ipa-getkeytab.c code and it appears we do not
support using the v4 salt type in ipa-getkeytab with the older protocol
code which is the one used with ipa  4.x

I am not exactly sure why we don't, I have a comment in the code that
explicitly calls out SALTTYPE_V4 as not supported, explaining we do not
support krb v4 though.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-01 Thread Andreas Ladanyi

Hi,

Server: FreeIPA 3.3.5, Fedora 20
Client: Ubuntu 14.04

ipa-getkeytab -s freeipaserver -p principal@REALM  -k
/tmp/principal.keytab -e des3-hmac-sha1 -P

only results in:

klist -k /tmp/principal.keytab -e
Keytab name: FILE:/tmp/principal.keytab
KVNO Principal

--
   5 principal@REALM (des3-cbc-sha1)


/var/kerberos/krb5kdc/kdc.conf:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 restrict_anonymous_to_tgt = true

[realms]
REALM = {
  master_key_type = aes256-cts
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  default_principal_flags = +preauth
;  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
  pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
  supported_enctypes = aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
arcfour-hmac-md5:normal des-cbc-crc:v4 des3-hmac-sha1:normal
 }

I added the des3-hmac-sha1:normal entry in supported_enctypes parameter.

There is also an attributes entry krbDefaultEncSaltTypes and
krbSupportedEncSaltTypes with the value des3-hmac-sha1:normal in 389 LDAP.


cheers,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-01 Thread Simo Sorce

On Mon, 01 Dec 2014 11:53:11 +0100
Andreas Ladanyi andreas.lada...@kit.edu wrote:

 Hi,
 
 Server: FreeIPA 3.3.5, Fedora 20
 Client: Ubuntu 14.04
 
 ipa-getkeytab -s freeipaserver -p principal@REALM  -k
 /tmp/principal.keytab -e des3-hmac-sha1 -P
 
 only results in:
 
 klist -k /tmp/principal.keytab -e
 Keytab name: FILE:/tmp/principal.keytab
 KVNO Principal

The 2 enctypes are equivalent and can be interchanged afaik.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

4 matches

Site Navigation

Mail list logo

Footer information