[Freeipa-users] Distributing user keytabs for non-interactive auth question
Matthew Sellers
matt at indigo.nu
Mon Sep 26 00:37:29 UTC 2016
Hi Guys,
What is the best way to distribute a 'user' keytab to distribute
keytabs to allow 'system users' to run scripts with non-interactive
auth? Is it possible to use the ipa-getkeytab feature ( with "-r"
option ) to request a keytab for a user principal? I see support for
HOST and SERVICE keytabs, but nothing specific to user keytabs?
Concept Example:
ipa-getkeytab -s ipa_server -p cron_runner at REALM.COM -k ipa_cron.keytab -r
KRB5_KTNAME=ipa_cron.keytab service.py
Actual Results ( tried with tgt for cron_runner or admin ):
[sysadmin at 01 ~]$ ipa-getkeytab -s coipa100 -p cron_runner at REALM.COM
-kipa_cron.keytab -r
Failed to parse result: Insufficient access rights
My only other option is grab the keytab and copy it around after
initial creation ( understanding that each keytab requests bumps the
KVNO ). My goal is to make password-less authentication for automated
processes as easy as possible to setup....ipa-getkeytab seems like its
almost there?
Love the work you guys are putting out, its a really cool system.
Thanks,
Matt
More information about the Freeipa-users
mailing list