[Freeipa-users] Problem with ipa-getkeytab ?
Martin Babinsky
mbabinsk at redhat.com
Thu Apr 21 15:48:35 UTC 2016
On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote:
> Hello,
>
> I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.
>
> Now I have a Problem to get the Keytab on the second Server
>
> On the first Server I run.
>
> kinit admin
> ipa-getkeytab -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/
> dovecot.keytab
>
> This is working
>
> but on the second Server when I start
>
> kinit admin
> ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/
> dovecot/dovecot.keytab
>
> for the same keytab,
> I become a Error with not access is possible ?
>
> is this a Bug or a mistake from me ?
>
AFAIK reading Kerberos keys is a protected operation reserved for
root/directory manager only, so you will have to use your Directory
manager credentials for that:
"""
ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k
/etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD
"""
alternatively you can permit your admin user to retrieve the keytab
using the following command:
"""
ipa service-allow-retrieve-keytab imap/mail.example.com --users admin
"""
and then run ipa-getkeytab as admin
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list