Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
On Tue, 02 Dec 2014 12:08:24 +0100 Andreas Ladanyi wrote: > > On Mon, 01 Dec 2014 11:53:11 +0100 > > Andreas Ladanyi wrote: > > > >> Hi, > >> > >> Server: FreeIPA 3.3.5, Fedora 20 > >> Client: Ubuntu 14.04 > >> > >> ipa-getkeytab -s freeipaserver -p principal@REALM -k > >> /tmp/principal.keytab -e des3-hmac-sha1 -P > >> > >> only results in: > >> > >> klist -k /tmp/principal.keytab -e > >> Keytab name: FILE:/tmp/principal.keytab > >> KVNO Principal > > The 2 enctypes are equivalent and can be interchanged afaik. > > > > Simo. > > > Ok. > > Another question: Is it possible to generate keys with no salt instead > of Version 5 (normal) salt ? > > I want to generate a des3 key with no salt: > > ipa-getkeytab -s freeipaserver -p principal@REALM -k > /tmp/principal.keytab -e des3-hmac-sha1:v4 -P > > The answer is: > > Bad or unsupported salt type. > Failed to create key material > > I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf This works for me without needing to configure anything with Freeipa 4.1 ... probably because it uses the new getkeytab control and key generation is done on the server side. ... and I looked at the ipa-getkeytab.c code and it appears we do not support using the v4 salt type in ipa-getkeytab with the older protocol code which is the one used with ipa < 4.x I am not exactly sure why we don't, I have a comment in the code that explicitly calls out SALTTYPE_V4 as not supported, explaining we do not support krb v4 though. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
> On Mon, 01 Dec 2014 11:53:11 +0100 > Andreas Ladanyi wrote: > >> Hi, >> >> Server: FreeIPA 3.3.5, Fedora 20 >> Client: Ubuntu 14.04 >> >> ipa-getkeytab -s freeipaserver -p principal@REALM -k >> /tmp/principal.keytab -e des3-hmac-sha1 -P >> >> only results in: >> >> klist -k /tmp/principal.keytab -e >> Keytab name: FILE:/tmp/principal.keytab >> KVNO Principal > The 2 enctypes are equivalent and can be interchanged afaik. > > Simo. > Ok. Another question: Is it possible to generate keys with no salt instead of Version 5 (normal) salt ? I want to generate a des3 key with no salt: ipa-getkeytab -s freeipaserver -p principal@REALM -k /tmp/principal.keytab -e des3-hmac-sha1:v4 -P The answer is: Bad or unsupported salt type. Failed to create key material I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
On Mon, 01 Dec 2014 11:53:11 +0100 Andreas Ladanyi wrote: > Hi, > > Server: FreeIPA 3.3.5, Fedora 20 > Client: Ubuntu 14.04 > > ipa-getkeytab -s freeipaserver -p principal@REALM -k > /tmp/principal.keytab -e des3-hmac-sha1 -P > > only results in: > > klist -k /tmp/principal.keytab -e > Keytab name: FILE:/tmp/principal.keytab > KVNO Principal The 2 enctypes are equivalent and can be interchanged afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project