Simo Sorce via FreeIPA-users wrote:
On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote:
> Never mind -- if I use ipa-getkeytab, it works perfectly.
> What is the difference between what getkeytab and ktutil by hand
> Is it documented?
In FreeIPA we generate a random salt instead of using the old
"principal name as salt". ktutil depends on using the "principal name
as salt" to generate correct keys, so it fails to create a valid key.
I wonder if we should make a goal of documenting what works with
ktutil/kadmin and what doesn't so at least if/when things blow up we can
point them to a page.
Existing experience with Kerberos can be handy to understand how IPA
fits together but it's a double-edged sword since the usual tool
workflow generally doesn't translate well.
This doesn't come up super-often so maybe we can just point to the users
list. I'd like to avoid creating another ticket that lives forever though.
> On 6/5/17 9:18 AM, Kat wrote:
>> Ok, I guess I am not understanding something here. What am I
>> The PW is correct, but no matter what I do, I can't use the keytab
>> file for a user as shown below:
>> [root@ipa ~]# ktutil
>> ktutil: addent -password -p cyberj(a)EXAMPLE.COM -k 1 -e
>> Password for cyberj(a)EXAMPLE.COM:
>> ktutil: wkt /root/cyberj.keytab
>> ktutil: q
>> [root@ipa ~]# kinit -k -t cyberj.keytab cyberj(a)EXAMPLE.COM
>> kinit: Password incorrect while getting initial credentials
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org