[Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
Dmitri Pal
dpal at redhat.com
Fri Apr 27 18:52:20 UTC 2012
On 04/26/2012 10:58 PM, David Copperfield wrote:
> Hi,
>
> Just have a silly case where I've to download the existing version
> keytab for a service principal. It is download only -- not recreate a
> new version and download the new version which ipa-getkeytab does. --
> ipa-getkeytab command name seems a little bit misleading because it
> does both 'set' and 'get' operations.
>
> I've overheard that there is way to get it from underlying 389
> directory server but not sure how to do it. Any one please shed a
> light on this? Similarly, how to download a host certificate form
> Dogtag because 'ipa-getcert request' also resetting it -- I may be
> wrong and so please feel free to correct me :); or how about a user
> principal's keytab from 389 too? Thanks a lot.
>
> --David
>
Is it a one time operation? If so you can use ldapsearch utility. The
object that will have ipaHost object class in IPA. You can use a
Directory Manager credential to authenticate.
I suggest you do it on the server and then deliver the key and the cert
manually.
I thought that there was a flag for ipa-getkeytab to fetch existing key
but my knowledge in this area is rusty. Same with the cert.
May be someone else would chime in.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120427/8c48bb9f/attachment.htm>
More information about the Freeipa-users
mailing list