|
This article explains the problem when exporting full config using 'show full' CLI command does not include the hidden password field in the Kerberos key tab setting, which is used to encrypt and decrypt key tab.
Below is the output command from 'show full”'in CLI:
3KD_KRB (root) # show full-configuration user krb-keytab
config user krb-keytab
edit "proxy_service"
set pac-data disable
set principal "HTTP/fgtproxy.syd.fortilabapac.lab@SYD.FORTILABAPAC.LAB"
set ldap-server "AD"
set keytab "ENC HLoYVfTu++vvtDCZA7Ee2flNurEbqF1PMdZStWnDguf9rW6JVDKrac+N2zRKq4V”
next
end
Compare this to actual config backup from GUI or using 'exec backup' CLI command:
config user krb-keytab
edit "proxy_service"
set pac-data disable
set principal "HTTP/fgtproxy.syd.fortilabapac.lab@SYD.FORTILABAPAC.LAB"
set ldap-server "AD"
set keytab "ENC HLoYVfTu++vvtDCZA7Ee2flNurEbqF1PMdZStWnDguf9rW6JVDKrac+N2zRKq4V”
set password ENC N6Srnr9VSx8hwVM6OZnScZasSCLRrtW4AtcrQZHtEo
next
end
The password is system generated to be used by FortiOS in order to encrypt and decrypt key tab (no user intervention require).
|
