On 06/26/2018 08:19 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
> My ktutil doesn't have "-s" as an option on addent -- is this a
> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
> ipa-client 4.5.0-22.
If you are getting a keytab for yourself (say admin) try this:
$ ipa-getkeytab -s
ipa.example.com -p admin(a)EXAMPLE.COM -P -k /tmp/admin.kt
This
command prompted me for a New Principal Password, so I control-C'd
out and now I can't "kinit admin" because the password fails. Was this
command supposed to try to change our admin account password?
$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
$ kdestroy -A
$ kinit admin
<enter password you just set above>
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).
rob
>
> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>> I found your post, but the paste you made was gone. You don't happen
>>> to still have that laying around, do you?
>> A script is attached. It may fail in some cases as salt is really a
>> random sequence of bytes that might need additional escaping in shell.
>>
>>
>>>
>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>> What's the correct way to create a user keytab? I had done this
>>>>> once about 3 years ago and got it working, but can't find my
notes
>>>>> anywhere. I need to be able to do this in a script:
>>>>>
>>>>> kinit -k admin -t /root/keytab
>>>>>
>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>> had any success just yet.
>>>> Review archives of this mailing list for last month or so. I've
>>>> commented in some other thread. Basically, FreeIPA uses a random salt
>>>> for user principals. As result, if you need to create a keytab manually
>>>> for a user account, you need to know which salt and kvno value to use
>>>> along with the password.
>>>>
>>>> However, ktutil only allows you to specify a salt manually since MIT
>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>> CentOS yet.
>>>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>