On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
Ahhh. I get it now. So basically this isn't possible today. Do you
have any insight into when we might see it?
Follow Rob's suggestion -- if you
know a user's password, you can use
ipa-getkeytab with -P (ask for password) and it should work too.
On 06/26/2018 08:26 AM, Alexander Bokovoy wrote:
>On ti, 26 kesä 2018, Bret Wortman wrote:
>>My ktutil doesn't have "-s" as an option on addent -- is this a
>>version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8
>>and ipa-client 4.5.0-22.
>I said this in the original answer:
>-----------------------------------------------------------------------
>However, ktutil only allows you to specify a salt manually since MIT
>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>CentOS yet.
>-----------------------------------------------------------------------
>
>>
>>
>>On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>>>On ti, 26 kesä 2018, Bret Wortman wrote:
>>>>I found your post, but the paste you made was gone. You don't
>>>>happen to still have that laying around, do you?
>>>A script is attached. It may fail in some cases as salt is really a
>>>random sequence of bytes that might need additional escaping in shell.
>>>
>>>
>>>>
>>>>
>>>>On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>>>On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>>>What's the correct way to create a user keytab? I had done
>>>>>>this once about 3 years ago and got it working, but can't
>>>>>>find my notes anywhere. I need to be able to do this in a
>>>>>>script:
>>>>>>
>>>>>> kinit -k admin -t /root/keytab
>>>>>>
>>>>>>I've tried various approaches using ktutil and kadmin but
>>>>>>haven't had any success just yet.
>>>>>Review archives of this mailing list for last month or so. I've
>>>>>commented in some other thread. Basically, FreeIPA uses a random salt
>>>>>for user principals. As result, if you need to create a
>>>>>keytab manually
>>>>>for a user account, you need to know which salt and kvno value to use
>>>>>along with the password.
>>>>>
>>>>>However, ktutil only allows you to specify a salt manually since MIT
>>>>>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>>>CentOS yet.
>>>>>
>>>>
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland