[Freeipa-users] ipa and cronjob
Petr Spacek
pspacek at redhat.com
Wed Nov 14 08:42:03 UTC 2012
On 11/14/2012 07:22 AM, Anthony Messina wrote:
> On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote:
>> On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote:
>>> 1. Using automatic login with the lightdm display manager, I have it
>>> run the
>>> following script to remove any old Kerberos ccaches, then obtain a new
>>> ticket
>>> on behalf of the user, and set the appropriate permissions and
>>> SELinux
>>> context. Note that in this case, I echo the password to kinit -- If
>>> I
>>> exported a keytab, I would not be able to manually login with a known
>>> password
>>> if there were a problem.
>>
>> Just FYI, this is not strictly true, look at the -P, --password option
>> of ipa-getkeytab
>
> Thanks. I didn't notice that option since I'd been using this method since
> before I started using IPA.
>
> Is the password used to genterate a principle still usable after a keytab has
> been exported? I seem to remember from my pre-IPA days of using a plain old
> standalone MIT KDC that I couldn't use the password to authenticate after they
> keytab had been exported using kadmin. Again, I never really investigated it,
> but the password never seemed to work after the keytab was exported.
Kadmin from original MIT Kerberos has to flavors: kadmin and kadmin.local.
Only "kadmin.local" (which works locally on KDC) can export keytab without
re-generating key (i.e. password).
Network version - "kadmin" - have to re-generate key before each export.
Simo can provide details about IPA get-keytab implementation.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list