Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below:
[root@ipa ~]# ktutil ktutil: addent -password -p cyberj@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for cyberj@EXAMPLE.COM: ktutil: wkt /root/cyberj.keytab ktutil: q
[root@ipa ~]# kinit -k -t cyberj.keytab cyberj@EXAMPLE.COM kinit: Password incorrect while getting initial credentials
:-(
-K
Never mind -- if I use ipa-getkeytab, it works perfectly.
What is the difference between what getkeytab and ktutil by hand does? Is it documented?
-K
On 6/5/17 9:18 AM, Kat wrote:
Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below:
[root@ipa ~]# ktutil ktutil: addent -password -p cyberj@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for cyberj@EXAMPLE.COM: ktutil: wkt /root/cyberj.keytab ktutil: q
[root@ipa ~]# kinit -k -t cyberj.keytab cyberj@EXAMPLE.COM kinit: Password incorrect while getting initial credentials
:-(
-K
On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote:
Never mind -- if I use ipa-getkeytab, it works perfectly.
What is the difference between what getkeytab and ktutil by hand does? Is it documented?
In FreeIPA we generate a random salt instead of using the old "principal name as salt". ktutil depends on using the "principal name as salt" to generate correct keys, so it fails to create a valid key.
Simo.
-K
On 6/5/17 9:18 AM, Kat wrote:
Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below:
[root@ipa ~]# ktutil ktutil: addent -password -p cyberj@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for cyberj@EXAMPLE.COM: ktutil: wkt /root/cyberj.keytab ktutil: q
[root@ipa ~]# kinit -k -t cyberj.keytab cyberj@EXAMPLE.COM kinit: Password incorrect while getting initial credentials
:-(
-K
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
Simo Sorce via FreeIPA-users wrote:
On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote:
Never mind -- if I use ipa-getkeytab, it works perfectly.
What is the difference between what getkeytab and ktutil by hand does? Is it documented?
In FreeIPA we generate a random salt instead of using the old "principal name as salt". ktutil depends on using the "principal name as salt" to generate correct keys, so it fails to create a valid key.
I wonder if we should make a goal of documenting what works with ktutil/kadmin and what doesn't so at least if/when things blow up we can point them to a page.
Existing experience with Kerberos can be handy to understand how IPA fits together but it's a double-edged sword since the usual tool workflow generally doesn't translate well.
This doesn't come up super-often so maybe we can just point to the users list. I'd like to avoid creating another ticket that lives forever though.
rob
Simo.
-K
On 6/5/17 9:18 AM, Kat wrote:
Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below:
[root@ipa ~]# ktutil ktutil: addent -password -p cyberj@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for cyberj@EXAMPLE.COM: ktutil: wkt /root/cyberj.keytab ktutil: q
[root@ipa ~]# kinit -k -t cyberj.keytab cyberj@EXAMPLE.COM kinit: Password incorrect while getting initial credentials
:-(
-K
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahoste d.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I think your kinit is a little wrong. Try this:
kinit -k /root/cyberj.keytab cyberj@EXAMPLE.COM
Otherwise, trace it and you might find out more:
KRB5_TRACE=/dev/stdout kinit -k -t cyberj.keytab cyberj@EXAMPLE.COM
On 06/05/2017 10:18 AM, Kat via FreeIPA-users wrote:
Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below:
[root@ipa ~]# ktutil ktutil: addent -password -p cyberj@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for cyberj@EXAMPLE.COM: ktutil: wkt /root/cyberj.keytab ktutil: q
[root@ipa ~]# kinit -k -t cyberj.keytab cyberj@EXAMPLE.COM kinit: Password incorrect while getting initial credentials
:-(
-K _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org