[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work
Simo Sorce
simo at redhat.com
Tue Dec 2 18:47:30 UTC 2014
On Tue, 02 Dec 2014 12:08:24 +0100
Andreas Ladanyi <andreas.ladanyi at kit.edu> wrote:
> > On Mon, 01 Dec 2014 11:53:11 +0100
> > Andreas Ladanyi <andreas.ladanyi at kit.edu> wrote:
> >
> >> Hi,
> >>
> >> Server: FreeIPA 3.3.5, Fedora 20
> >> Client: Ubuntu 14.04
> >>
> >> ipa-getkeytab -s freeipaserver -p principal at REALM -k
> >> /tmp/principal.keytab -e des3-hmac-sha1 -P
> >>
> >> only results in:
> >>
> >> klist -k /tmp/principal.keytab -e
> >> Keytab name: FILE:/tmp/principal.keytab
> >> KVNO Principal
> > The 2 enctypes are equivalent and can be interchanged afaik.
> >
> > Simo.
> >
> Ok.
>
> Another question: Is it possible to generate keys with no salt instead
> of Version 5 (normal) salt ?
>
> I want to generate a des3 key with no salt:
>
> ipa-getkeytab -s freeipaserver -p principal at REALM -k
> /tmp/principal.keytab -e des3-hmac-sha1:v4 -P
>
> The answer is:
>
> Bad or unsupported salt type.
> Failed to create key material
>
> I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf
This works for me without needing to configure anything with Freeipa
4.1 ... probably because it uses the new getkeytab control and key
generation is done on the server side.
... and I looked at the ipa-getkeytab.c code and it appears we do not
support using the v4 salt type in ipa-getkeytab with the older protocol
code which is the one used with ipa < 4.x
I am not exactly sure why we don't, I have a comment in the code that
explicitly calls out SALTTYPE_V4 as not supported, explaining we do not
support krb v4 though.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list