[Freeipa-users] User keytab file
David O'Brien
davido at redhat.com
Wed May 13 01:54:49 UTC 2009
Daniel Scott wrote:
> Hi,
>
> I have a FreeIPA server configured and working. I'm now trying to
> automate a few processes and have a question regarding user keytabs.
> I'm looking to enable passwordless authentication/login for a
> particular user.
>
> I have followed the instructions found here:
> http://kb.iu.edu/data/aumh.html
>
> >From the above page, it appears that I can do this using a user
> keytab. I have created a user named 'backup' and given it a good, long
> password. I then created a user keytab file using the following
> command:
>
> # ktutil
> ktutil: addent -password -p backup -k 1 -e des-cbc-crc
> ktutil: addent -password -p backup -k 2 -e des3-cbc-sha1
> ktutil: wkt /etc/backup.keytab
>
> I can display the contents of this keytab and it appears to have been
> created successfully. Then, I should be able to authenticate using the
> following command, correct?
>
> # kinit backup -k -t /etc/backup.keytab
> kinit(v5): Key table entry not found while getting initial credentials
>
> The server logs show the following:
>
> May 12 11:54:34 example.com krb5kdc[12175](info): AS_REQ (7 etypes {18
> 17 16 23 1 3 2}) 192.168.1.50: NEEDED_PREAUTH: backup at EXAMPLE.COM for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
>
> I have tried numerous combinations of the username in the kinit
> command, but I cannot obtain a ticket. Does anyone have any
> suggestions? Am I approaching this in the wrong way? Am I using the
> wrong hashing algorithm?
>
> A little more background information:
> 1. The backup.keytab has permissions 600 and is owned by backup.
> 2. I have also tried this as root.
>
> Thanks,
>
> Dan Scott
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
You don't mention what OSes you're using, so I can only make a
suggestion here:
It looks like you're using Kerberos' native tools, which are not
supported in IPA. Have a look at (in particular) section 1.2 in the
Administration Reference on the freeipa.org site.
http://freeipa.org/docs/1.2/Administrators_Reference/en-US/html/index.html
Are you actually using EXAMPLE.COM as your realm name? That's what the
Kerberos config file (/etc/krb5.conf) uses by default, so you'll need to
change it to whatever your real realm name is.
hth
David
--
David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189
"The most valuable of all talents is that of never using two words when
one will do."
Thomas Jefferson
More information about the Freeipa-users
mailing list