[Freeipa-users] User keytab file

David O'Brien davido at redhat.com
Wed May 13 03:35:30 UTC 2009 

Daniel Scott wrote:
> Hi,
>
> Thanks for the comments.
>
> 2009/5/12 David O'Brien <davido at redhat.com>:
>   
>> You don't mention what OSes you're using, so I can only make a suggestion
>> here:
>>     
>
> Sorry for not mentioning the OS, both client and server are Fedora 10.
>
>   
>> It looks like you're using Kerberos' native tools, which are not supported
>> in IPA. Have a look at (in particular) section 1.2 in the Administration
>> Reference on the freeipa.org site.
>> http://freeipa.org/docs/1.2/Administrators_Reference/en-US/html/index.html
>>     
>
> The native kerberos tools are not supported? The manual states that I
> should use kinit and klist here:
>
> http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_the_IPA_Server-Configuring_the_IPA_Server.html#sect-Installation_and_Deployment_Guide-Configuring_the_IPA_Server-Testing_the_Configuration
>
> Are there some undocumented ipa* tools for obtaining and listing
> kerberos tickets? I see the manual makes no mention of ktutil - is it
> just this tool which is unsupported? In any case, surely it doesn't
> really matter how I obtain the ticket?
>
> Thanks for the link, I have read through it. I should confirm that I
> have the service principals working correctly. host/ services for
> passwordless SSH and HTTP/ services for apache authentication.
>
> The problem is that I'm trying to add a 'service' principal for a user
> (which I understand is a 'user principal'. Maybe my terminology is
> wrong, please correct me if so), to enable passwordless
> authentication. Maybe I'm not being clear. I'm trying to obtain a
> service principal (which, if I understand correctly, permits a server
> to authenticate without a password, like an SSH keypair?) but for a
> particular user, rather than a service.
>
> The situation that I'm trying to solve: I have NFS shares
> authenticated through kerberos. I want to backup some of these files
> using a user 'backup' which is performed through a cronjob. When the
> cronjob is executed, there is no guarantee that the backup user will
> have a valid ticket and so I need a way to obtain a ticket without a
> password. Which I believe I can do through user principals.
>
> If I run, for example:
>
> # ipa-addservice backup at EXAMPLE.COM
> The requested service principal is not of the form:
> service/fully-qualified host name
>
> So it appears that the ipa-addservice tool does not support the
> addition of user principals. The manpage implies this as it states
> that a FQDN must be given. I could force this to enable creation of a
> user principal service, but I'm not sure that is correct.
>
>   
>> Are you actually using EXAMPLE.COM as your realm name? That's what the
>> Kerberos config file (/etc/krb5.conf) uses by default, so you'll need to
>> change it to whatever your real realm name is.
>>     
>
> Nope :). I replaced my real realm name with example.com for anonymity.
> The realm is configured properly and working correctly.
>
> Thanks,
>
> Dan
>   
CC'ing the list for better coverage.

Using kinit and klist is not a problem. I just wanted to make sure you 
weren't using kadmin.local, etc. I'm no whizz at this, which is why I'm 
only offering suggestions. Expect some more useful answers once the USA 
hits daylight  :)

wrt the use of ktutil, have a look at the Client Configuration Guide, 
and especially Configuring NFS v4 with Kerberos, which talks about 
adding services, getting the keytab onto the client, etc. There's a 
whole section devoted to Fedora (written for f9 but should be fine for f10).

cheers
David

-- 

David O'Brien
IPA Content Author
Red Hat Asia Pacific
+61 7 3514 8189

"The most valuable of all talents is that of never using two words when
one will do."
    Thomas Jefferson

More information about the Freeipa-users mailing list