[Freeipa-users] Help needed with keytabs

Roderick Johnstone rmj at ast.cam.ac.uk
Thu May 5 16:39:07 UTC 2016 

Hi

I need to run some ipa commands in cron jobs.

The post here: 
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7, 
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
destroy the current tickets, re-establish a tgt for the user with kinit 
using the keytab and try to run an ipa command. The ipa command fails 
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k 
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step, 
otherwise it gets set to something random and the user test cannot log 
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache 
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: test at EXAMPLE.COM

Valid starting     Expires            Service principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/EXAMPLE.COM at EXAMPLE.COM

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some 
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2, 
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

More information about the Freeipa-users mailing list