Okay, the directions worked fine except that by aborting, I necessitated
a change to our admin password. The other SAs will hate me now, but
that's a livable consequence.
I now have a keytab that does what I need it to. Thanks, Rob and Alexander!
On 06/26/2018 08:33 AM, Bret Wortman via FreeIPA-users wrote:
On 06/26/2018 08:19 AM, Rob Crittenden wrote:
> Bret Wortman via FreeIPA-users wrote:
>> My ktutil doesn't have "-s" as an option on addent -- is this a
>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
>> ipa-client 4.5.0-22.
> If you are getting a keytab for yourself (say admin) try this:
>
> $ ipa-getkeytab -s
ipa.example.com -p admin(a)EXAMPLE.COM -P -k
> /tmp/admin.kt
This command prompted me for a New Principal Password, so I
control-C'd out and now I can't "kinit admin" because the password
fails. Was this command supposed to try to change our admin account
password?
> $ kdestroy -A
> $ kinit -kt /tmp/admin.kt admin
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: admin(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
> $ kdestroy -A
> $ kinit admin
> <enter password you just set above>
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: admin(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
>
> I tested this on an old install I had,
> freeipa-server-4.4.4-1.fc25.x86_64
>
> If you want to get a keytab like this for a different user as admin
> you'll run into password expiration issues which you can work around in
> other ways (ldapmodify).
>
> rob
>
>>
>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>>> I found your post, but the paste you made was gone. You don't happen
>>>> to still have that laying around, do you?
>>> A script is attached. It may fail in some cases as salt is really a
>>> random sequence of bytes that might need additional escaping in shell.
>>>
>>>
>>>>
>>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>>> What's the correct way to create a user keytab? I had done
this
>>>>>> once about 3 years ago and got it working, but can't find my
notes
>>>>>> anywhere. I need to be able to do this in a script:
>>>>>>
>>>>>> kinit -k admin -t /root/keytab
>>>>>>
>>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>>> had any success just yet.
>>>>> Review archives of this mailing list for last month or so. I've
>>>>> commented in some other thread. Basically, FreeIPA uses a random
>>>>> salt
>>>>> for user principals. As result, if you need to create a keytab
>>>>> manually
>>>>> for a user account, you need to know which salt and kvno value to
>>>>> use
>>>>> along with the password.
>>>>>
>>>>> However, ktutil only allows you to specify a salt manually since MIT
>>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in
>>>>> RHEL or
>>>>> CentOS yet.
>>>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...