[Freeipa-users] Help needed with keytabs

Petr Spacek pspacek at redhat.com
Fri May 6 08:00:42 UTC 2016 

On 5.5.2016 18:39, Roderick Johnstone wrote:
> Hi
> 
> I need to run some ipa commands in cron jobs.
> 
> The post here:
> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
> suggests I need to use a keytab file to authenticate kerberos.
> 
> I've tried the prescription there, with variations, without success.
> 
> My current testing framework is to log into the ipa client (RHEL6.7,
> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy
> the current tickets, re-establish a tgt for the user with kinit using the
> keytab and try to run an ipa command. The ipa command fails (just like in my
> cron jobs which use the same kinit command).
> 
> 1) Log into ipa client as user test.
> 
> 2) Get the keytab
> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k
> /home/test/test.keytab -P
> New Principal Password:
> Verify Principal Password:
> Keytab successfully retrieved and stored in: /home/test/test.keytab
> 
> I seem to have to reset the password to what it was in this step, otherwise it
> gets set to something random and the user test cannot log into the ipa client
> any more.
> 
> 3) Log into the ipa client as user test. Then
> $ kdestroy
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH)
> 
> 4) kinit from the keytab:
> $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab
> 
> 5) Check the tickets
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
> Default principal: test at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/EXAMPLE.COM at EXAMPLE.COM
> 
> 6) Run an ipa command:
> $ ipa ping
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> https://ipa2.example.com/ipa/xml
> 
> Can someone advise what I'm doing wrong in this procedure please (some strings
> were changed to anonymize the setting)?

Kerberos part seems okay but for some reason connection to IPA servers does
not work.

I would try following commands:
$ ipa --debug ping
$ curl 'https://ipa1.example.com/ipa/xml'

and see what these print out.

Petr^2 Spacek

> 
> For completeness of information, the ipa servers are RHEL 7.2,
> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
> 
> Thanks
> 
> Roderick Johnstone

More information about the Freeipa-users mailing list