5:33 a.m.
What's the correct way to create a user keytab? I had done this once
about 3 years ago and got it working, but can't find my notes anywhere.
I need to be able to do this in a script:
kinit -k admin -t /root/keytab
I've tried various approaches using ktutil and kadmin but haven't had
any success just yet.
--
photo
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
<mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
10332 Main St Suite 319 Fairfax, VA 22030
<http://facebook.com/wrapbuddiesco>
<http://www.linkedin.com/in/bretwortman>
<http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
6 a.m.
We sometimes use this:
kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs
If we want to do stuff as the hdfs user.
HTH
/tony
On 2018-06-26 12:33, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this
once
about 3 years ago and got it working, but can't find my notes anywhere.
I need to be able to do this in a script:
kinit -k admin -t /root/keytab
I've tried various approaches using ktutil and kadmin but haven't had
any success just yet.
--
photo
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
<mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
10332 Main St Suite 319 Fairfax, VA 22030
<http://facebook.com/wrapbuddiesco>
<http://www.linkedin.com/in/bretwortman>
<http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
6:06 a.m.
On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
What's the correct way to create a user keytab? I had done this
once
about 3 years ago and got it working, but can't find my notes
anywhere. I need to be able to do this in a script:
kinit -k admin -t /root/keytab
I've tried various approaches using ktutil and kadmin but haven't had
any success just yet.
Review archives of this mailing list for last month or so.
I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6:09 a.m.
Okay. I may have done this under Fedora before, then. I'll go back and
search the archives.
Thanks, Alexander!
On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
> What's the correct way to create a user keytab? I had done this once
> about 3 years ago and got it working, but can't find my notes
> anywhere. I need to be able to do this in a script:
>
> kinit -k admin -t /root/keytab
>
> I've tried various approaches using ktutil and kadmin but haven't had
> any success just yet.
Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
6:22 a.m.
I found your post, but the paste you made was gone. You don't happen to
still have that laying around, do you?
On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
> What's the correct way to create a user keytab? I had done this once
> about 3 years ago and got it working, but can't find my notes
> anywhere. I need to be able to do this in a script:
>
> kinit -k admin -t /root/keytab
>
> I've tried various approaches using ktutil and kadmin but haven't had
> any success just yet.
Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
6:25 a.m.
The post of yours that I located and which looked promising is here, to
save you some searching:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
> What's the correct way to create a user keytab? I had done this once
> about 3 years ago and got it working, but can't find my notes
> anywhere. I need to be able to do this in a script:
>
> kinit -k admin -t /root/keytab
>
> I've tried various approaches using ktutil and kadmin but haven't had
> any success just yet.
Review archives of this mailing list for last month or so. I've
commented in some other thread. Basically, FreeIPA uses a random salt
for user principals. As result, if you need to create a keytab manually
for a user account, you need to know which salt and kvno value to use
along with the password.
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
6:30 a.m.
On ti, 26 kesä 2018, Bret Wortman wrote:
I found your post, but the paste you made was gone. You don't
happen
to still have that laying around, do you?
A script is attached. It may fail in some
cases as salt is really a
random sequence of bytes that might need additional escaping in shell.
On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>What's the correct way to create a user keytab? I had done this
>>once about 3 years ago and got it working, but can't find my notes
>>anywhere. I need to be able to do this in a script:
>>
>> kinit -k admin -t /root/keytab
>>
>>I've tried various approaches using ktutil and kadmin but haven't
>>had any success just yet.
>Review archives of this mailing list for last month or so. I've
>commented in some other thread. Basically, FreeIPA uses a random salt
>for user principals. As result, if you need to create a keytab manually
>for a user account, you need to know which salt and kvno value to use
>along with the password.
>
>However, ktutil only allows you to specify a salt manually since MIT
>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>CentOS yet.
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
7:08 a.m.
My ktutil doesn't have "-s" as an option on addent -- is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.
On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman wrote:
> I found your post, but the paste you made was gone. You don't happen
> to still have that laying around, do you?
A script is attached. It may fail in some cases as salt is really a
random sequence of bytes that might need additional escaping in shell.
>
>
> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>> What's the correct way to create a user keytab? I had done this
>>> once about 3 years ago and got it working, but can't find my notes
>>> anywhere. I need to be able to do this in a script:
>>>
>>> kinit -k admin -t /root/keytab
>>>
>>> I've tried various approaches using ktutil and kadmin but haven't
>>> had any success just yet.
>> Review archives of this mailing list for last month or so. I've
>> commented in some other thread. Basically, FreeIPA uses a random salt
>> for user principals. As result, if you need to create a keytab manually
>> for a user account, you need to know which salt and kvno value to use
>> along with the password.
>>
>> However, ktutil only allows you to specify a salt manually since MIT
>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>> CentOS yet.
>>
>
7:19 a.m.
Bret Wortman via FreeIPA-users wrote:
My ktutil doesn't have "-s" as an option on addent --
is this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.
If you are getting a keytab for yourself (say admin) try this:
$ ipa-getkeytab -s ipa.example.com -p admin(a)EXAMPLE.COM -P -k /tmp/admin.kt
$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
$ kdestroy -A
$ kinit admin
<enter password you just set above>
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).
rob
On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
> On ti, 26 kesä 2018, Bret Wortman wrote:
>> I found your post, but the paste you made was gone. You don't happen
>> to still have that laying around, do you?
> A script is attached. It may fail in some cases as salt is really a
> random sequence of bytes that might need additional escaping in shell.
>
>
>>
>>
>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>> What's the correct way to create a user keytab? I had done this
>>>> once about 3 years ago and got it working, but can't find my notes
>>>> anywhere. I need to be able to do this in a script:
>>>>
>>>> kinit -k admin -t /root/keytab
>>>>
>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>> had any success just yet.
>>> Review archives of this mailing list for last month or so. I've
>>> commented in some other thread. Basically, FreeIPA uses a random salt
>>> for user principals. As result, if you need to create a keytab manually
>>> for a user account, you need to know which salt and kvno value to use
>>> along with the password.
>>>
>>> However, ktutil only allows you to specify a salt manually since MIT
>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>> CentOS yet.
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
7:26 a.m.
On ti, 26 kesä 2018, Bret Wortman wrote:
My ktutil doesn't have "-s" as an option on addent -- is
this a
version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
ipa-client 4.5.0-22.
I said this in the original answer:
-----------------------------------------------------------------------
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
-----------------------------------------------------------------------
On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>On ti, 26 kesä 2018, Bret Wortman wrote:
>>I found your post, but the paste you made was gone. You don't
>>happen to still have that laying around, do you?
>A script is attached. It may fail in some cases as salt is really a
>random sequence of bytes that might need additional escaping in shell.
>
>
>>
>>
>>On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>What's the correct way to create a user keytab? I had done
>>>>this once about 3 years ago and got it working, but can't find
>>>>my notes anywhere. I need to be able to do this in a script:
>>>>
>>>> kinit -k admin -t /root/keytab
>>>>
>>>>I've tried various approaches using ktutil and kadmin but
>>>>haven't had any success just yet.
>>>Review archives of this mailing list for last month or so. I've
>>>commented in some other thread. Basically, FreeIPA uses a random salt
>>>for user principals. As result, if you need to create a keytab manually
>>>for a user account, you need to know which salt and kvno value to use
>>>along with the password.
>>>
>>>However, ktutil only allows you to specify a salt manually since MIT
>>>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>CentOS yet.
>>>
>>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
7:27 a.m.
Ahhh. I get it now. So basically this isn't possible today. Do you have
any insight into when we might see it?
On 06/26/2018 08:26 AM, Alexander Bokovoy wrote:
On ti, 26 kesä 2018, Bret Wortman wrote:
> My ktutil doesn't have "-s" as an option on addent -- is this a
> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
> ipa-client 4.5.0-22.
I said this in the original answer:
-----------------------------------------------------------------------
However, ktutil only allows you to specify a salt manually since MIT
Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
CentOS yet.
-----------------------------------------------------------------------
>
>
> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>> I found your post, but the paste you made was gone. You don't
>>> happen to still have that laying around, do you?
>> A script is attached. It may fail in some cases as salt is really a
>> random sequence of bytes that might need additional escaping in shell.
>>
>>
>>>
>>>
>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>> What's the correct way to create a user keytab? I had done this
>>>>> once about 3 years ago and got it working, but can't find my
>>>>> notes anywhere. I need to be able to do this in a script:
>>>>>
>>>>> kinit -k admin -t /root/keytab
>>>>>
>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>> had any success just yet.
>>>> Review archives of this mailing list for last month or so. I've
>>>> commented in some other thread. Basically, FreeIPA uses a random salt
>>>> for user principals. As result, if you need to create a keytab
>>>> manually
>>>> for a user account, you need to know which salt and kvno value to use
>>>> along with the password.
>>>>
>>>> However, ktutil only allows you to specify a salt manually since MIT
>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>> CentOS yet.
>>>>
>>>
>>
>
7:32 a.m.
On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
Ahhh. I get it now. So basically this isn't possible today. Do you
have any insight into when we might see it?
Follow Rob's suggestion -- if you
know a user's password, you can use
ipa-getkeytab with -P (ask for password) and it should work too.
On 06/26/2018 08:26 AM, Alexander Bokovoy wrote:
>On ti, 26 kesä 2018, Bret Wortman wrote:
>>My ktutil doesn't have "-s" as an option on addent -- is this a
>>version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8
>>and ipa-client 4.5.0-22.
>I said this in the original answer:
>-----------------------------------------------------------------------
>However, ktutil only allows you to specify a salt manually since MIT
>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>CentOS yet.
>-----------------------------------------------------------------------
>
>>
>>
>>On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>>>On ti, 26 kesä 2018, Bret Wortman wrote:
>>>>I found your post, but the paste you made was gone. You don't
>>>>happen to still have that laying around, do you?
>>>A script is attached. It may fail in some cases as salt is really a
>>>random sequence of bytes that might need additional escaping in shell.
>>>
>>>
>>>>
>>>>
>>>>On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>>>On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>>>What's the correct way to create a user keytab? I had done
>>>>>>this once about 3 years ago and got it working, but can't
>>>>>>find my notes anywhere. I need to be able to do this in a
>>>>>>script:
>>>>>>
>>>>>> kinit -k admin -t /root/keytab
>>>>>>
>>>>>>I've tried various approaches using ktutil and kadmin but
>>>>>>haven't had any success just yet.
>>>>>Review archives of this mailing list for last month or so. I've
>>>>>commented in some other thread. Basically, FreeIPA uses a random salt
>>>>>for user principals. As result, if you need to create a
>>>>>keytab manually
>>>>>for a user account, you need to know which salt and kvno value to use
>>>>>along with the password.
>>>>>
>>>>>However, ktutil only allows you to specify a salt manually since MIT
>>>>>Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>>>CentOS yet.
>>>>>
>>>>
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
7:33 a.m.
On 06/26/2018 08:19 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
> My ktutil doesn't have "-s" as an option on addent -- is this a
> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
> ipa-client 4.5.0-22.
If you are getting a keytab for yourself (say admin) try this:
$ ipa-getkeytab -s ipa.example.com -p admin(a)EXAMPLE.COM -P -k /tmp/admin.kt
This
command prompted me for a New Principal Password, so I control-C'd
out and now I can't "kinit admin" because the password fails. Was this
command supposed to try to change our admin account password?
$ kdestroy -A
$ kinit -kt /tmp/admin.kt admin
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
$ kdestroy -A
$ kinit admin
<enter password you just set above>
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.COM
Valid starting Expires Service principal
06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
If you want to get a keytab like this for a different user as admin
you'll run into password expiration issues which you can work around in
other ways (ldapmodify).
rob
>
> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>> I found your post, but the paste you made was gone. You don't happen
>>> to still have that laying around, do you?
>> A script is attached. It may fail in some cases as salt is really a
>> random sequence of bytes that might need additional escaping in shell.
>>
>>
>>>
>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>> What's the correct way to create a user keytab? I had done this
>>>>> once about 3 years ago and got it working, but can't find my
notes
>>>>> anywhere. I need to be able to do this in a script:
>>>>>
>>>>> kinit -k admin -t /root/keytab
>>>>>
>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>> had any success just yet.
>>>> Review archives of this mailing list for last month or so. I've
>>>> commented in some other thread. Basically, FreeIPA uses a random salt
>>>> for user principals. As result, if you need to create a keytab manually
>>>> for a user account, you need to know which salt and kvno value to use
>>>> along with the password.
>>>>
>>>> However, ktutil only allows you to specify a salt manually since MIT
>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL or
>>>> CentOS yet.
>>>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>
7:39 a.m.
Okay, the directions worked fine except that by aborting, I necessitated
a change to our admin password. The other SAs will hate me now, but
that's a livable consequence.
I now have a keytab that does what I need it to. Thanks, Rob and Alexander!
On 06/26/2018 08:33 AM, Bret Wortman via FreeIPA-users wrote:
On 06/26/2018 08:19 AM, Rob Crittenden wrote:
> Bret Wortman via FreeIPA-users wrote:
>> My ktutil doesn't have "-s" as an option on addent -- is this a
>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
>> ipa-client 4.5.0-22.
> If you are getting a keytab for yourself (say admin) try this:
>
> $ ipa-getkeytab -s ipa.example.com -p admin(a)EXAMPLE.COM -P -k
> /tmp/admin.kt
This command prompted me for a New Principal Password, so I
control-C'd out and now I can't "kinit admin" because the password
fails. Was this command supposed to try to change our admin account
password?
> $ kdestroy -A
> $ kinit -kt /tmp/admin.kt admin
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: admin(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
> $ kdestroy -A
> $ kinit admin
> <enter password you just set above>
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: admin(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
>
> I tested this on an old install I had,
> freeipa-server-4.4.4-1.fc25.x86_64
>
> If you want to get a keytab like this for a different user as admin
> you'll run into password expiration issues which you can work around in
> other ways (ldapmodify).
>
> rob
>
>>
>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>>> I found your post, but the paste you made was gone. You don't happen
>>>> to still have that laying around, do you?
>>> A script is attached. It may fail in some cases as salt is really a
>>> random sequence of bytes that might need additional escaping in shell.
>>>
>>>
>>>>
>>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>>> What's the correct way to create a user keytab? I had done
this
>>>>>> once about 3 years ago and got it working, but can't find my
notes
>>>>>> anywhere. I need to be able to do this in a script:
>>>>>>
>>>>>> kinit -k admin -t /root/keytab
>>>>>>
>>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>>> had any success just yet.
>>>>> Review archives of this mailing list for last month or so. I've
>>>>> commented in some other thread. Basically, FreeIPA uses a random
>>>>> salt
>>>>> for user principals. As result, if you need to create a keytab
>>>>> manually
>>>>> for a user account, you need to know which salt and kvno value to
>>>>> use
>>>>> along with the password.
>>>>>
>>>>> However, ktutil only allows you to specify a salt manually since MIT
>>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in
>>>>> RHEL or
>>>>> CentOS yet.
>>>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
7:40 a.m.
Bret Wortman via FreeIPA-users wrote:
On 06/26/2018 08:19 AM, Rob Crittenden wrote:
> Bret Wortman via FreeIPA-users wrote:
>> My ktutil doesn't have "-s" as an option on addent -- is this a
>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
>> ipa-client 4.5.0-22.
> If you are getting a keytab for yourself (say admin) try this:
>
> $ ipa-getkeytab -s ipa.example.com -p admin(a)EXAMPLE.COM -P -k
> /tmp/admin.kt
This command prompted me for a New Principal Password, so I control-C'd
out and now I can't "kinit admin" because the password fails. Was this
command supposed to try to change our admin account password?
Perhaps depending on your password policy you should be able to re-use
the same password.
You are basically putting your credentials into a file so you need to
create a new secret.
rob
> $ kdestroy -A
> $ kinit -kt /tmp/admin.kt admin
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: admin(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
> $ kdestroy -A
> $ kinit admin
> <enter password you just set above>
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: admin(a)EXAMPLE.COM
>
> Valid starting Expires Service principal
> 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
>
> I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
>
> If you want to get a keytab like this for a different user as admin
> you'll run into password expiration issues which you can work around in
> other ways (ldapmodify).
>
> rob
>
>>
>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>>> I found your post, but the paste you made was gone. You don't happen
>>>> to still have that laying around, do you?
>>> A script is attached. It may fail in some cases as salt is really a
>>> random sequence of bytes that might need additional escaping in shell.
>>>
>>>
>>>>
>>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>>> What's the correct way to create a user keytab? I had done
this
>>>>>> once about 3 years ago and got it working, but can't find my
notes
>>>>>> anywhere. I need to be able to do this in a script:
>>>>>>
>>>>>> kinit -k admin -t /root/keytab
>>>>>>
>>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>>> had any success just yet.
>>>>> Review archives of this mailing list for last month or so. I've
>>>>> commented in some other thread. Basically, FreeIPA uses a random
salt
>>>>> for user principals. As result, if you need to create a keytab
>>>>> manually
>>>>> for a user account, you need to know which salt and kvno value to
use
>>>>> along with the password.
>>>>>
>>>>> However, ktutil only allows you to specify a salt manually since MIT
>>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in RHEL
or
>>>>> CentOS yet.
>>>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
12:33 p.m.
I use ipa-getkeytab to generate key tables for services. It uses a new random password,
which is fine.
Normally we don’t generate key tables for users. We have better ways to generate
credentials for cron jobs and other non-interactive purposes. However if we need to,
kadmin.local on the Kerberos server can extract a key table without touching the password.
Within kadmin.local, do
ktadd -k KEYTABFILE -norandkey PRINCIPAL
The -norandkey is critical. I’m not aware of any way to do this outside kadmin.local.
There are a few times when this is really necessary. It’s not a reasonable way to generate
key tables for users on a routine basis.
The email suggested that you might be trying to do this to kerberize hadoop. Note that
Hortonworks has support for IPA, so the wizard for kerberizing the system will set the
principals up for you. You have to know the secret place to enable it. With hadoop, as far
as I know all authenticate is done with key tables. So you really don’t care what the
password is. I would think ipa-getkeytable randomizing the password would be fine. You
just need to save the key tables and make sure that if you have the same principal on
several hosts you always use the same key table.
On Jun 26, 2018, at 8:40 AM, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Bret Wortman via FreeIPA-users wrote:
> On 06/26/2018 08:19 AM, Rob Crittenden wrote:
>> Bret Wortman via FreeIPA-users wrote:
>>> My ktutil doesn't have "-s" as an option on addent -- is this
a
>>> version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and
>>> ipa-client 4.5.0-22.
>> If you are getting a keytab for yourself (say admin) try this:
>>
>> $ ipa-getkeytab -s ipa.example.com -p admin(a)EXAMPLE.COM -P -k
>> /tmp/admin.kt
> This command prompted me for a New Principal Password, so I control-C'd
> out and now I can't "kinit admin" because the password fails. Was this
> command supposed to try to change our admin account password?
Perhaps depending on your password policy you should be able to re-use
the same password.
You are basically putting your credentials into a file so you need to
create a new secret.
rob
>> $ kdestroy -A
>> $ kinit -kt /tmp/admin.kt admin
>> $ klist
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: admin(a)EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 06/26/2018 08:17:07 06/27/2018 08:17:07 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
>> $ kdestroy -A
>> $ kinit admin
>> <enter password you just set above>
>> $ klist
>> Ticket cache: KEYRING:persistent:1000:1000
>> Default principal: admin(a)EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 06/26/2018 08:18:41 06/27/2018 08:18:39 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
>>
>> I tested this on an old install I had, freeipa-server-4.4.4-1.fc25.x86_64
>>
>> If you want to get a keytab like this for a different user as admin
>> you'll run into password expiration issues which you can work around in
>> other ways (ldapmodify).
>>
>> rob
>>
>>>
>>> On 06/26/2018 07:30 AM, Alexander Bokovoy wrote:
>>>> On ti, 26 kesä 2018, Bret Wortman wrote:
>>>>> I found your post, but the paste you made was gone. You don't
happen
>>>>> to still have that laying around, do you?
>>>> A script is attached. It may fail in some cases as salt is really a
>>>> random sequence of bytes that might need additional escaping in shell.
>>>>
>>>>
>>>>>
>>>>> On 06/26/2018 07:06 AM, Alexander Bokovoy wrote:
>>>>>> On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote:
>>>>>>> What's the correct way to create a user keytab? I had
done this
>>>>>>> once about 3 years ago and got it working, but can't find
my notes
>>>>>>> anywhere. I need to be able to do this in a script:
>>>>>>>
>>>>>>> kinit -k admin -t /root/keytab
>>>>>>>
>>>>>>> I've tried various approaches using ktutil and kadmin but
haven't
>>>>>>> had any success just yet.
>>>>>> Review archives of this mailing list for last month or so.
I've
>>>>>> commented in some other thread. Basically, FreeIPA uses a random
salt
>>>>>> for user principals. As result, if you need to create a keytab
>>>>>> manually
>>>>>> for a user account, you need to know which salt and kvno value to
use
>>>>>> along with the password.
>>>>>>
>>>>>> However, ktutil only allows you to specify a salt manually since
MIT
>>>>>> Kerberos 1.16. The latter is in Fedora 28 or later but not in
RHEL or
>>>>>> CentOS yet.
>>>>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>>
>>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
2130
days inactive
2133
days old
freeipa-users@lists.fedorahosted.org
15 comments
5 participants
participants (5)
-
Alexander Bokovoy -
Bret Wortman -
Charles Hedrick -
Rob Crittenden -
Tony Brian Albers