On 05/12/2018 01:53 AM, Alexander Bokovoy wrote:
On pe, 11 touko 2018, Josh wrote:
> On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:
>> On to, 10 touko 2018, Josh via FreeIPA-users wrote:
>>> Server certificate has expired and all ipa utilities fail.
>>> Could you please stay on topic and explain if you can why ktutil
>>> can't be used as described in
https://kb.iu.edu/d/aumh?
>>> Does ipa makes ktutil not functional?
Can you show output of
kinit admin
kvno admin
klist -ef
I suspect your admin password did change over time so it has a different
kvno value than what you have used in ktutil's addent (-k 1).
I modified a script posted on
https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-ma...
to create a simple test case:
#!/bin/bash
user=admin
read -sp "${user}'s pass:" pass
echo
kinit $user
KVNO=$(kvno "$user" | awk '{print $NF}')
ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
printf "%b" "addent -password -p $user -k $KVNO -e
$ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil
printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
kinit -k -t $user.keytab $user
The result when ran from an IPA host is the same error as before: kinit:
Preauthentication failed while getting initial credentials despite the
fact that KVNO numbers match.
Could anyone confirm that admin keytab acquired via ipa_getkeytab is
working and if yes then what is the difference from above method?
Josh.