On ma, 14 touko 2018, Rob Crittenden via FreeIPA-users wrote:
Josh via FreeIPA-users wrote:
>On 05/12/2018 01:53 AM, Alexander Bokovoy wrote:
>>On pe, 11 touko 2018, Josh wrote:
>>>On 05/11/2018 01:19 AM, Alexander Bokovoy wrote:
>>>>On to, 10 touko 2018, Josh via FreeIPA-users wrote:
>>>>>Server certificate has expired and all ipa utilities fail.
>>>>>Could you please stay on topic and explain if you can why
>>>>>ktutil can't be used as described in
>>>>>https://kb.iu.edu/d/aumh?
>>>>>Does ipa makes ktutil not functional?
>>Can you show output of
>>
>>kinit admin
>>kvno admin
>>klist -ef
>>
>>I suspect your admin password did change over time so it has a different
>>kvno value than what you have used in ktutil's addent (-k 1).
>>
>
>I modified a script posted on
https://stackoverflow.com/questions/37454308/script-kerberos-ktutil-to-ma...
>to create a simple test case:
>
>#!/bin/bash
>user=admin
>read -sp "${user}'s pass:" pass
>echo
>kinit $user
>KVNO=$(kvno "$user" | awk '{print $NF}')
>ETYPE=$(klist -ef | grep -A 1 krbtgt | tail -1 | awk '{print $NF}')
>printf "%b" "addent -password -p $user -k $KVNO -e
>$ETYPE\n$pass\nwrite_kt $user.keytab" | ktutil
>printf "%b" "read_kt $user.keytab\nlist\nquit\n" | ktutil
>kinit -k -t $user.keytab $user
>
>
>The result when ran from an IPA host is the same error as before:
>kinit: Preauthentication failed while getting initial credentials
>despite the fact that KVNO numbers match.
>Could anyone confirm that admin keytab acquired via ipa_getkeytab is
>working and if yes then what is the difference from above method?
ipa-getkeytab works for me, I don't know why ktutil isn't working but
we do zero testing using this.
Talking with Simo, we realized that since we are
using random salt for
all IPA principals, you need to know the salt when creating a keytab
entry. You only can retrieve that via KRB5_TRACE for kinit like I did in
https://paste.fedoraproject.org/paste/KPt2PbYsdluhAJcVLdQjBg but since
salt is random, it may have characters that aren't clean for a shell
use, so your scripting mileage may vary.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland