<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 09/16/2011 02:26 PM, Jimmy wrote:
<blockquote
cite="mid:CAG8E47S5R96SjCkZ9y=JVjO3vwW=kVOXUDijR1bav_4fHkxuyg@mail.gmail.com"
type="cite">I can create a keytab using ipa-getkeytab for any
entity, say for instance a user, and store a password in the
keytab but as soon as the user attempts to kinit with the set
password it expires and must be changed. Is this happening with
the host(workstation) entities?<br>
</blockquote>
<br>
Are you using latest hand built IPA from the master?<br>
There is a bug about passwords being expired.<br>
A more stable version is available from Fedora if you are using
Fedora or from 2.1 branch.<br>
<br>
<blockquote
cite="mid:CAG8E47S5R96SjCkZ9y=JVjO3vwW=kVOXUDijR1bav_4fHkxuyg@mail.gmail.com"
type="cite">
<br>
<div class="gmail_quote">On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:g17jimmy@gmail.com" target="_blank">g17jimmy@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div>When I do not specify the encryption type it does put
them all in in a single go. I just was attempting to
eliminate the other types in case that was creating a
problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.<br>
</div>
<div><br>
</div>
<div>[root@csp-idm etc]# klist -kte krb5.keytab.sys1 <br>
Keytab name: WRFILE:krb5.keytab.sys1<br>
KVNO Timestamp Principal<br>
---- -----------------
--------------------------------------------------------<br>
6 09/16/11 13:40:03 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(aes256-cts-hmac-sha1-96) <br>
6 09/16/11 13:40:03 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(aes128-cts-hmac-sha1-96) <br>
6 09/16/11 13:40:04 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(des3-cbc-sha1) <br>
6 09/16/11 13:40:04 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(arcfour-hmac) <br>
<br>
</div>
<div>
<div><br>
<div class="gmail_quote">On Fri, Sep 16, 2011 at 9:35 AM,
Simo Sorce <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:simo@redhat.com"
target="_blank">simo@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div>On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -k<br>
> krb5.keytab<br>
> -P [entering into the main keytab
/etc/krb5.keytab]<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -k<br>
> krb5.keytab.sys1 -P [entering into a new
keytab krb5.keytab.sys1]<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes256-cts-hmac-sha1-96 -k krb5.keytab -P<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes128-cts-hmac-sha1-96 -k krb5.keytab -P<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P<br>
><br>
<br>
</div>
This is not how it works.<br>
You must define all types in one single go.<br>
Every time you invoke ipa-getkeytab for a principal
you are discarding<br>
any previous key in the KDC, and only the last one is
available.<br>
<div>
<div><br>
Simo.<br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>