[Freeipa-users] keytab kvno differs between ipa servers
Bjarne Blichfeldt
BJB at jndata.dk
Tue Nov 22 10:15:37 UTC 2016
Thanks for the suggestion.
yes I tried the -r option but could not get it to work. Permission denied even as admin.
In the design paper it looks like this is not yet implemented for user principals.
I ended up retrieving the required keytab entry and put it in a configuration channel in satellite. That makes it easy to distribute.
I haven’t located he replication problem yet, but did a "ipa-replica-manage re-initialize". That got the kvno to same level. Havent had the courage to retrieve the keytab to test the replication yet. Will do that in a different environment shortly.
Regards
Bjarne Blichfeldt.
-----Original Message-----
From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
Sent: 22. november 2016 10:25
To: Bjarne Blichfeldt <BJB at jndata.dk>
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] keytab kvno differs between ipa servers
On (21/11/16 13:54), Bjarne Blichfeldt wrote:
>ok Thanks
>
>I will try to debug that. No errors in the logs, the ldapsearch from your link works fine..
>ok work ahead...
>
>Regards
>
>Bjarne Blichfeldt
>
man 1 ipa-getkeytab says:
WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
cipal. This renders all other keytabs for that principal invalid.
and also there is an option:
-r Retrieve mode. Retrieve an existing key from the server instead
of generating a new one. This is incompatibile with the --pass‐
word option, and will work only against a FreeIPA server more
recent than version 3.3. The user requesting the keytab must
have access to the keys for this operation to succeed.
HTH
LS
More information about the Freeipa-users
mailing list