[Freeipa-users] Help needed with keytabs
Petr Spacek
pspacek at redhat.com
Fri May 6 08:00:42 UTC 2016
On 5.5.2016 18:39, Roderick Johnstone wrote:
> Hi
>
> I need to run some ipa commands in cron jobs.
>
> The post here:
> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
> suggests I need to use a keytab file to authenticate kerberos.
>
> I've tried the prescription there, with variations, without success.
>
> My current testing framework is to log into the ipa client (RHEL6.7,
> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy
> the current tickets, re-establish a tgt for the user with kinit using the
> keytab and try to run an ipa command. The ipa command fails (just like in my
> cron jobs which use the same kinit command).
>
> 1) Log into ipa client as user test.
>
> 2) Get the keytab
> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k
> /home/test/test.keytab -P
> New Principal Password:
> Verify Principal Password:
> Keytab successfully retrieved and stored in: /home/test/test.keytab
>
> I seem to have to reset the password to what it was in this step, otherwise it
> gets set to something random and the user test cannot log into the ipa client
> any more.
>
> 3) Log into the ipa client as user test. Then
> $ kdestroy
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH)
>
> 4) kinit from the keytab:
> $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab
>
> 5) Check the tickets
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
> Default principal: test at EXAMPLE.COM
>
> Valid starting Expires Service principal
> 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> 6) Run an ipa command:
> $ ipa ping
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> https://ipa2.example.com/ipa/xml
>
> Can someone advise what I'm doing wrong in this procedure please (some strings
> were changed to anonymize the setting)?
Kerberos part seems okay but for some reason connection to IPA servers does
not work.
I would try following commands:
$ ipa --debug ping
$ curl 'https://ipa1.example.com/ipa/xml'
and see what these print out.
Petr^2 Spacek
>
> For completeness of information, the ipa servers are RHEL 7.2,
> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>
> Thanks
>
> Roderick Johnstone
More information about the Freeipa-users
mailing list