[Freeipa-users] User keytab file

[Simo Sorce]

On Tue, 2009-06-23 at 11:49 -0400, Daniel Scott wrote:
> This problem still occurs. I've worked around it by using the standard
> fedora user authorization/authentication, but it's not really the best
> way to go about it. I'm still not sure if I'm even going about this
> the right way. Is there actually such a thing as a 'user principal'.
> There must be a way for an automated process to obtain a kerberos
> ticket. Maybe I'm going about this the wrong way?

The only way to get a kerberos ticket is to have the shared secret at
hand, whether that is a password or a keytab makes really no difference,
they are equivalent for all purposes.

> Any suggestions would be greatly appreciated. Does anyone have this or
> something similar working?

I am not sure what doesn't work, the message you see in the logs is
perfectly normal, we configure the KDC to require pre-authentication,
but by default kinit send the classic request first, and only when it
gets the preauth required error, sends a preauth request (if necessary
after having asked for a password). In short that message is not an
error.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York