[Freeipa-users] Help needed with keytabs

Michael ORourke mrorourke at earthlink.net
Thu May 5 18:47:19 UTC 2016 

Roderick,

Here's how we do it.  
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root at infrae2u01 ~]# kdestroy

[root at infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_useradm at LNX.DR.LOCAL

[root at infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_useradm at LNX.DR.LOCAL

Valid starting     Expires            Service principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/LNX.DR.LOCAL at LNX.DR.LOCAL

[root at infrae2u01 ~]# ipa ping
------------------------------------------
IPA server version 3.0.0. API version 2.49
------------------------------------------

If you need to access the service account, then setup a sudo rule to switch user to that account.
Example: "sudo su - svc_useradm"

-Mike

-----Original Message-----
>From: Roderick Johnstone <rmj at ast.cam.ac.uk>
>Sent: May 5, 2016 12:39 PM
>To: freeipa-users at redhat.com
>Subject: [Freeipa-users] Help needed with keytabs
>
>Hi
>
>I need to run some ipa commands in cron jobs.
>
>The post here: 
>https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
>suggests I need to use a keytab file to authenticate kerberos.
>
>I've tried the prescription there, with variations, without success.
>
>My current testing framework is to log into the ipa client (RHEL6.7, 
>ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
>destroy the current tickets, re-establish a tgt for the user with kinit 
>using the keytab and try to run an ipa command. The ipa command fails 
>(just like in my cron jobs which use the same kinit command).
>
>1) Log into ipa client as user test.
>
>2) Get the keytab
>$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k 
>/home/test/test.keytab -P
>New Principal Password:
>Verify Principal Password:
>Keytab successfully retrieved and stored in: /home/test/test.keytab
>
>I seem to have to reset the password to what it was in this step, 
>otherwise it gets set to something random and the user test cannot log 
>into the ipa client any more.
>
>3) Log into the ipa client as user test. Then
>$ kdestroy
>$ klist
>klist: No credentials cache found (ticket cache 
>FILE:/tmp/krb5cc_3395_PWO4wH)
>
>4) kinit from the keytab:
>$ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab
>
>5) Check the tickets
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>Default principal: test at EXAMPLE.COM
>
>Valid starting     Expires            Service principal
>05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
>6) Run an ipa command:
>$ ipa ping
>ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
>domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
>https://ipa2.example.com/ipa/xml
>
>Can someone advise what I'm doing wrong in this procedure please (some 
>strings were changed to anonymize the setting)?
>
>For completeness of information, the ipa servers are RHEL 7.2, 
>ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>
>Thanks
>
>Roderick Johnstone
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list