[Freeipa-users] Windows client logon
Dmitri Pal
dpal at redhat.com
Fri Sep 16 20:45:35 UTC 2011
On 09/16/2011 02:26 PM, Jimmy wrote:
> I can create a keytab using ipa-getkeytab for any entity, say for
> instance a user, and store a password in the keytab but as soon as the
> user attempts to kinit with the set password it expires and must be
> changed. Is this happening with the host(workstation) entities?
Are you using latest hand built IPA from the master?
There is a bug about passwords being expired.
A more stable version is available from Fedora if you are using Fedora
or from 2.1 branch.
>
> On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <g17jimmy at gmail.com
> <mailto:g17jimmy at gmail.com>> wrote:
>
> When I do not specify the encryption type it does put them all in
> in a single go. I just was attempting to eliminate the other types
> in case that was creating a problem. The system defaults to type
> x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this.
>
> [root at csp-idm etc]# klist -kte krb5.keytab.sys1
> Keytab name: WRFILE:krb5.keytab.sys1
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP
> (aes256-cts-hmac-sha1-96)
> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP
> (aes128-cts-hmac-sha1-96)
> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1)
> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac)
>
>
> On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <simo at redhat.com
> <mailto:simo at redhat.com>> wrote:
>
> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> > krb5.keytab
> > -P [entering into the main keytab /etc/krb5.keytab]
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> > krb5.keytab.sys1 -P [entering into a new keytab
> krb5.keytab.sys1]
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
> >
>
> This is not how it works.
> You must define all types in one single go.
> Every time you invoke ipa-getkeytab for a principal you are
> discarding
> any previous key in the KDC, and only the last one is available.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/d9fc9245/attachment.htm>
More information about the Freeipa-users
mailing list