[Freeipa-users] Help needed with keytabs

Roderick Johnstone rmj at ast.cam.ac.uk
Thu May 5 21:31:12 UTC 2016 

Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping 
successfully. Then I tried my kinit syntax (after a kdestroy) and I can 
still ipa ping successfully!

So, it does work now, but I don't know why it didn't work for me 
earlier. It feels like some sort of caching problem but I think kdestroy 
clears the cache.

Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:
>
> Roderick,
>
> Here's how we do it.
> Create a service account user, for example "svc_useradm".
> Then generate a keytab for the service account, and store it somewhere secure.
> ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab
>
> Now we can leverage the keytab for that user principal.
> Example:
> [root at infrae2u01 ~]# kdestroy
>
> [root at infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_useradm at LNX.DR.LOCAL
>
> [root at infrae2u01 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: svc_useradm at LNX.DR.LOCAL
>
> Valid starting     Expires            Service principal
> 05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/LNX.DR.LOCAL at LNX.DR.LOCAL
>
> [root at infrae2u01 ~]# ipa ping
> ------------------------------------------
> IPA server version 3.0.0. API version 2.49
> ------------------------------------------
>
> If you need to access the service account, then setup a sudo rule to switch user to that account.
> Example: "sudo su - svc_useradm"
>
> -Mike
>
> -----Original Message-----
>> From: Roderick Johnstone <rmj at ast.cam.ac.uk>
>> Sent: May 5, 2016 12:39 PM
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] Help needed with keytabs
>>
>> Hi
>>
>> I need to run some ipa commands in cron jobs.
>>
>> The post here:
>> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
>> suggests I need to use a keytab file to authenticate kerberos.
>>
>> I've tried the prescription there, with variations, without success.
>>
>> My current testing framework is to log into the ipa client (RHEL6.7,
>> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
>> destroy the current tickets, re-establish a tgt for the user with kinit
>> using the keytab and try to run an ipa command. The ipa command fails
>> (just like in my cron jobs which use the same kinit command).
>>
>> 1) Log into ipa client as user test.
>>
>> 2) Get the keytab
>> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k
>> /home/test/test.keytab -P
>> New Principal Password:
>> Verify Principal Password:
>> Keytab successfully retrieved and stored in: /home/test/test.keytab
>>
>> I seem to have to reset the password to what it was in this step,
>> otherwise it gets set to something random and the user test cannot log
>> into the ipa client any more.
>>
>> 3) Log into the ipa client as user test. Then
>> $ kdestroy
>> $ klist
>> klist: No credentials cache found (ticket cache
>> FILE:/tmp/krb5cc_3395_PWO4wH)
>>
>> 4) kinit from the keytab:
>> $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab
>>
>> 5) Check the tickets
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>> Default principal: test at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>
>> 6) Run an ipa command:
>> $ ipa ping
>> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
>> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
>> https://ipa2.example.com/ipa/xml
>>
>> Can someone advise what I'm doing wrong in this procedure please (some
>> strings were changed to anonymize the setting)?
>>
>> For completeness of information, the ipa servers are RHEL 7.2,
>> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>>
>> Thanks
>>
>> Roderick Johnstone
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list