When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this.
[root@csp-idm etc]# klist -kte krb5.keytab.sys1 Keytab name: WRFILE:krb5.keytab.sys1 KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 6 09/16/11 13:40:03 host/[email protected](aes256-cts-hmac-sha1-96) 6 09/16/11 13:40:03 host/[email protected](aes128-cts-hmac-sha1-96) 6 09/16/11 13:40:04 host/[email protected] (des3-cbc-sha1) 6 09/16/11 13:40:04 host/[email protected] (arcfour-hmac) On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <[email protected]> wrote: > On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab > > -P [entering into the main keytab /etc/krb5.keytab] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > > > This is not how it works. > You must define all types in one single go. > Every time you invoke ipa-getkeytab for a principal you are discarding > any previous key in the KDC, and only the last one is available. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
