[Freeipa-users] Windows client logon

Jimmy g17jimmy at gmail.com
Fri Sep 16 18:26:52 UTC 2011 

I can create a keytab using ipa-getkeytab for any entity, say for instance a
user, and store a password in the keytab but as soon as the user attempts to
kinit with the set password it expires and must be changed. Is this
happening with the host(workstation) entities?

On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <g17jimmy at gmail.com> wrote:

> When I do not specify the encryption type it does put them all in in a
> single go. I just was attempting to eliminate the other types in case that
> was creating a problem. The system defaults to type x18
> (aes256-cts-hmac-sha1-96). Thanks for your help on this.
>
> [root at csp-idm etc]# klist -kte krb5.keytab.sys1
> Keytab name: WRFILE:krb5.keytab.sys1
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes256-cts-hmac-sha1-96)
> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes128-cts-hmac-sha1-96)
> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1)
> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac)
>
>
> On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <simo at redhat.com> wrote:
>
>> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
>> > krb5.keytab
>> > -P            [entering into the main keytab /etc/krb5.keytab]
>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
>> > krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P
>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P
>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
>> >
>>
>> This is not how it works.
>> You must define all types in one single go.
>> Every time you invoke ipa-getkeytab for a principal you are discarding
>> any previous key in the KDC, and only the last one is available.
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/0ccc5ec0/attachment.htm>

More information about the Freeipa-users mailing list