[Freeipa-users] Help needed with keytabs

Roderick Johnstone rmj at ast.cam.ac.uk
Thu May 5 22:06:37 UTC 2016 

Hi again

After further testing, it seems like my problems were caused by the use 
of the -F option on the kinit line.

Roderick

On 05/05/2016 22:31, Roderick Johnstone wrote:
> Hi Mike
>
> Thanks for sharing your setup. It looks pretty much like mine.
>
> I just tried your kinit command syntax and then I can ipa ping
> successfully. Then I tried my kinit syntax (after a kdestroy) and I can
> still ipa ping successfully!
>
> So, it does work now, but I don't know why it didn't work for me
> earlier. It feels like some sort of caching problem but I think kdestroy
> clears the cache.
>
> Thanks again for your help.
>
> Roderick
>
> On 05/05/2016 19:47, Michael ORourke wrote:
>>
>> Roderick,
>>
>> Here's how we do it.
>> Create a service account user, for example "svc_useradm".
>> Then generate a keytab for the service account, and store it somewhere
>> secure.
>> ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
>> /root/svc_useradm.keytab
>>
>> Now we can leverage the keytab for that user principal.
>> Example:
>> [root at infrae2u01 ~]# kdestroy
>>
>> [root at infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab
>> svc_useradm at LNX.DR.LOCAL
>>
>> [root at infrae2u01 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: svc_useradm at LNX.DR.LOCAL
>>
>> Valid starting     Expires            Service principal
>> 05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/LNX.DR.LOCAL at LNX.DR.LOCAL
>>
>> [root at infrae2u01 ~]# ipa ping
>> ------------------------------------------
>> IPA server version 3.0.0. API version 2.49
>> ------------------------------------------
>>
>> If you need to access the service account, then setup a sudo rule to
>> switch user to that account.
>> Example: "sudo su - svc_useradm"
>>
>> -Mike
>>
>> -----Original Message-----
>>> From: Roderick Johnstone <rmj at ast.cam.ac.uk>
>>> Sent: May 5, 2016 12:39 PM
>>> To: freeipa-users at redhat.com
>>> Subject: [Freeipa-users] Help needed with keytabs
>>>
>>> Hi
>>>
>>> I need to run some ipa commands in cron jobs.
>>>
>>> The post here:
>>> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
>>> suggests I need to use a keytab file to authenticate kerberos.
>>>
>>> I've tried the prescription there, with variations, without success.
>>>
>>> My current testing framework is to log into the ipa client (RHEL6.7,
>>> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
>>> destroy the current tickets, re-establish a tgt for the user with kinit
>>> using the keytab and try to run an ipa command. The ipa command fails
>>> (just like in my cron jobs which use the same kinit command).
>>>
>>> 1) Log into ipa client as user test.
>>>
>>> 2) Get the keytab
>>> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k
>>> /home/test/test.keytab -P
>>> New Principal Password:
>>> Verify Principal Password:
>>> Keytab successfully retrieved and stored in: /home/test/test.keytab
>>>
>>> I seem to have to reset the password to what it was in this step,
>>> otherwise it gets set to something random and the user test cannot log
>>> into the ipa client any more.
>>>
>>> 3) Log into the ipa client as user test. Then
>>> $ kdestroy
>>> $ klist
>>> klist: No credentials cache found (ticket cache
>>> FILE:/tmp/krb5cc_3395_PWO4wH)
>>>
>>> 4) kinit from the keytab:
>>> $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab
>>>
>>> 5) Check the tickets
>>> $ klist
>>> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>>> Default principal: test at EXAMPLE.COM
>>>
>>> Valid starting     Expires            Service principal
>>> 05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>
>>> 6) Run an ipa command:
>>> $ ipa ping
>>> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
>>> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
>>> https://ipa2.example.com/ipa/xml
>>>
>>> Can someone advise what I'm doing wrong in this procedure please (some
>>> strings were changed to anonymize the setting)?
>>>
>>> For completeness of information, the ipa servers are RHEL 7.2,
>>> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>>>
>>> Thanks
>>>
>>> Roderick Johnstone
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list