On ti, 26 kesä 2018, Bret Wortman wrote:
My ktutil doesn't have "-s" as an option on addent -- is
this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.
I said this in the original answer:
-----------------------------------------------------------------------
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
-----------------------------------------------------------------------
On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>On ti, 26 kesä 2018, Bret Wortman wrote:
>>I found your post, but the paste you made was gone. You don't
>>happen to still have that laying around, do you?
>A script is attached. It may fail in some cases as salt is really a
>random sequence of bytes that might need additional escaping in shell.
>
>
>>
>>
>>On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>What's the correct way to create a user keytab? I had done
>>>>this once about 3 years ago and got it working, but can't find
>>>>my notes anywhere. I need to be able to do this in a script:
>>>>
>>>> kinit -k admin -t /root/keytab
>>>>
>>>>I've tried various approaches using ktutil and kadmin but
>>>>haven't had any success just yet.
>>>Review archives of this mailing list for last month or so. I've
>>>commented in some other thread. Basically, FreeIPA uses a random salt
>>>for user principals. As result, if you need to create a keytab manually
>>>for a user account, you need to know which salt and kvno value to use
>>>along with the password.
>>>
>>>However, ktutil only allows you to specify a salt manually since MIT
>>>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>CentOS yet.
>>>
>>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland