<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 09/16/2011 02:26 PM, Jimmy wrote: <blockquote cite="mid:CAG8E47S5R96SjCkZ9y=JVjO3vwW=kVOXUDijR1bav_4fHkxuyg@mail.gmail.com" type="cite">I can create a keytab using ipa-getkeytab for any entity, say for instance a user, and store a password in the keytab but as soon as the user attempts to kinit with the set password it expires and must be changed. Is this happening with the host(workstation) entities?<br> </blockquote> <br> Are you using latest hand built IPA from the master?<br> There is a bug about passwords being expired.<br> A more stable version is available from Fedora if you are using Fedora or from 2.1 branch.<br> <br> <blockquote cite="mid:CAG8E47S5R96SjCkZ9y=JVjO3vwW=kVOXUDijR1bav_4fHkxuyg@mail.gmail.com" type="cite"> <br> <div class="gmail_quote">On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <span dir="ltr"><<a moz-do-not-send="true" href="mailto:g17jimmy@gmail.com" target="_blank">g17jimmy@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <div>When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this.<br> </div> <div><br> </div> <div>[root@csp-idm etc]# klist -kte krb5.keytab.sys1 <br> Keytab name: WRFILE:krb5.keytab.sys1<br> KVNO Timestamp Principal<br> ---- ----------------- --------------------------------------------------------<br> 6 09/16/11 13:40:03 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a> (aes256-cts-hmac-sha1-96) <br> 6 09/16/11 13:40:03 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a> (aes128-cts-hmac-sha1-96) <br> 6 09/16/11 13:40:04 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a> (des3-cbc-sha1) <br> 6 09/16/11 13:40:04 <a class="moz-txt-link-abbreviated" href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP">host/ews1-cybsec.pdh.csp@PDH.CSP</a> (arcfour-hmac) <br> <br> </div> <div> <div><br> <div class="gmail_quote">On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <span dir="ltr"><<a moz-do-not-send="true" href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <div>On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:<br> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k<br> > krb5.keytab<br> > -P [entering into the main keytab /etc/krb5.keytab]<br> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k<br> > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1]<br> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e<br> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P<br> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e<br> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P<br> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e<br> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P<br> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e<br> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P<br> ><br> <br> </div> This is not how it works.<br> You must define all types in one single go.<br> Every time you invoke ipa-getkeytab for a principal you are discarding<br> any previous key in the KDC, and only the last one is available.<br> <div> <div><br> Simo.<br> <br> --<br> Simo Sorce * Red Hat, Inc * New York<br> <br> </div> </div> </blockquote> </div> <br> </div> </div> </blockquote> </div> <br> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>