[Freeipa-users] ipa and cronjob
Anthony Messina
amessina at messinet.com
Wed Nov 14 06:22:29 UTC 2012
On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote:
> On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote:
> > 1. Using automatic login with the lightdm display manager, I have it
> > run the
> > following script to remove any old Kerberos ccaches, then obtain a new
> > ticket
> > on behalf of the user, and set the appropriate permissions and
> > SELinux
> > context. Note that in this case, I echo the password to kinit -- If
> > I
> > exported a keytab, I would not be able to manually login with a known
> > password
> > if there were a problem.
>
> Just FYI, this is not strictly true, look at the -P, --password option
> of ipa-getkeytab
Thanks. I didn't notice that option since I'd been using this method since
before I started using IPA.
Is the password used to genterate a principle still usable after a keytab has
been exported? I seem to remember from my pre-IPA days of using a plain old
standalone MIT KDC that I couldn't use the password to authenticate after they
keytab had been exported using kadmin. Again, I never really investigated it,
but the password never seemed to work after the keytab was exported.
-A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121114/95bfb447/attachment.sig>
More information about the Freeipa-users
mailing list