Bret Wortman via FreeIPA-users wrote:
My ktutil doesn't have "-s" as an option on addent --
is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.
If you are getting a keytab for yourself (say admin) try this:
$ ipa-getkeytab -s
ipa.example.com -p admin(a)EXAMPLE.COM -P -k /tmp/admin.kt
$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
$ kdestroy -A
$ kinit admin
<enter password you just set above>
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).
rob
On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
> On ti, 26 kesä 2018, Bret Wortman wrote:
>> I found your post, but the paste you made was gone. You don't happen
>> to still have that laying around, do you?
> A script is attached. It may fail in some cases as salt is really a
> random sequence of bytes that might need additional escaping in shell.
>
>
>>
>>
>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>> What's the correct way to create a user keytab? I had done this
>>>> once about 3 years ago and got it working, but can't find my notes
>>>> anywhere. I need to be able to do this in a script:
>>>>
>>>> kinit -k admin -t /root/keytab
>>>>
>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>> had any success just yet.
>>> Review archives of this mailing list for last month or so. I've
>>> commented in some other thread. Basically, FreeIPA uses a random salt
>>> for user principals. As result, if you need to create a keytab manually
>>> for a user account, you need to know which salt and kvno value to use
>>> along with the password.
>>>
>>> However, ktutil only allows you to specify a salt manually since MIT
>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>> CentOS yet.
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...