[Freeipa-users] Windows client logon

Jimmy g17jimmy at gmail.com
Fri Sep 16 13:44:38 UTC 2011 

When I do not specify the encryption type it does put them all in in a
single go. I just was attempting to eliminate the other types in case that
was creating a problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.

[root at csp-idm etc]# klist -kte krb5.keytab.sys1
Keytab name: WRFILE:krb5.keytab.sys1
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes256-cts-hmac-sha1-96)
6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes128-cts-hmac-sha1-96)
6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1)
6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac)


On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <simo at redhat.com> wrote:

> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> > krb5.keytab
> > -P            [entering into the main keytab /etc/krb5.keytab]
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> > krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
> >
>
> This is not how it works.
> You must define all types in one single go.
> Every time you invoke ipa-getkeytab for a principal you are discarding
> any previous key in the KDC, and only the last one is available.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/2735f3a6/attachment.htm>

More information about the Freeipa-users mailing list