[Freeipa-users] freeipa remote commands
Dmitri Pal
dpal at redhat.com
Fri Jan 3 21:32:17 UTC 2014
On 01/03/2014 04:01 PM, Rob Crittenden wrote:
> Zulkifal Ahmad wrote:
>> Hi Experts ,
>> I am trying to run a script from a remote server which creates user
>> principals and generate keytabs on my ipa server installed on CentOS6.5
>> ipav3 . The issue that I am getting is that when i run the same script
>> from the terminal of the remote server it runs fine and retrieves the
>> keytabs but when it is ran from a webUI of the remote server it gives me
>> an error.
What are you using as a web server?
You need to give web server privileges to perform the operation on
behalf of the user or delegate user tickets to web server to act as user.
Both need some advanced knowledge about kerberos. Gssproxy project was
created to help with that a bit but it is not in 6.x so you would have
to build it yourself. With it you might be able to allow web server to
perform GSSAPI operations on behalf of the users via Gss proxy.
>> " ipa: Error: did not receive kerberos credentials " .
>> FYI my client/remote server is a part of the ipa domain and has the
>> same version of ipa client installed i.e v3.
>
> Because on your local terminal you have a valid ticket when you run
> it, but running within the web server it doesn't unless you explicitly
> do a kinit (or delegate the TGT from the requesting web browser).
>
>> This procedure was tested on an ordinary MIT Kerberos server and runs
>> with no issues.
>
> Using what tool? I'm guessing you used kadmin or kadmin.local which is
> an apples to orange comparison.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list