[Freeipa-users] Windows client logon

Fri Sep 16 20:45:35 UTC 2011

On 09/16/2011 02:26 PM, Jimmy wrote:
> I can create a keytab using ipa-getkeytab for any entity, say for
> instance a user, and store a password in the keytab but as soon as the
> user attempts to kinit with the set password it expires and must be
> changed. Is this happening with the host(workstation) entities?

Are you using latest hand built IPA from the master?
There is a bug about passwords being expired.
A more stable version is available from Fedora if you are using Fedora
or from 2.1 branch.

>
> On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <g17jimmy at gmail.com
> <mailto:g17jimmy at gmail.com>> wrote:
>
>     When I do not specify the encryption type it does put them all in
>     in a single go. I just was attempting to eliminate the other types
>     in case that was creating a problem. The system defaults to type
>     x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this.
>
>     [root at csp-idm etc]# klist -kte krb5.keytab.sys1 
>     Keytab name: WRFILE:krb5.keytab.sys1
>     KVNO Timestamp Principal
>     ---- -----------------
>     --------------------------------------------------------
>     6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP
>     (aes256-cts-hmac-sha1-96)
>     6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP
>     (aes128-cts-hmac-sha1-96)
>     6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1)
>     6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac)
>
>
>     On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <simo at redhat.com
>     <mailto:simo at redhat.com>> wrote:
>
>         On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
>         > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
>         > krb5.keytab
>         > -P            [entering into the main keytab /etc/krb5.keytab]
>         > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
>         > krb5.keytab.sys1 -P   [entering into a new keytab
>         krb5.keytab.sys1]
>         > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>         > aes256-cts-hmac-sha1-96 -k krb5.keytab -P
>         > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>         > aes128-cts-hmac-sha1-96 -k krb5.keytab -P
>         > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>         > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
>         > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>         > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
>         >
>
>         This is not how it works.
>         You must define all types in one single go.
>         Every time you invoke ipa-getkeytab for a principal you are
>         discarding
>         any previous key in the KDC, and only the last one is available.
>
>         Simo.
>
>         --
>         Simo Sorce * Red Hat, Inc * New York
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/d9fc9245/attachment.htm>