On ti, 19 syys 2017, Ronald Wimmer wrote:
Adding "-r" leads to this error message:
ipa-getkeytab -r -k /etc/httpd.keytab -p
HTTP/mwoc.linux.mydomain...@linux.mydomain.at
Failed to parse result: Insufficient access rights
Failed to get keytab
The ipa user is admin which should have all permissions and the OS
user on the server where the command was issued is "root".
ipa --version
VERSION: 4.5.0, API_VERSION: 2.228
What am I missing here?
Documentation!
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/retrieve-existing-keytabs.html
Please spend some time reading the documentation. It is vast and has a
lot of answers to questions people keep asking on these lists.
Regards,
Ronald
On 2017-09-19 11:24, Alexander Bokovoy wrote:
On ti, 19 syys 2017, Ronald Wimmer wrote:
Why does fetching a keytab influence its version number?
If i have three servers in a load balancer service compound and do a
ipa-getkeytab -k /etc/httpd.keytab -p
HTTP/compoundservice.linux.mydomain...@linux.mydomain.at
on each of the servers the kvno will be increased with every fetch
command leading to invalidating the keytab on the first two
servers if I issue the command on the third?
I would really appreciate some clarification here.
ipa-getkeytab by design resets the key. It is documented elsewhere, in
the man page for ipa-getkeytab and also in IPA documentation.
If you are on newer IPA version (4.1 or later), its ipa-getkeytab has
option '-r' that allows to retrieve existing key if you have enough
privileges for that.
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management describes
this feature.
Regards,
Ronald
On 2017-09-14 11:46, Alexander Bokovoy wrote:
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,
today I found out that some entries in a keytab file seemed to
have expired:
Request ticket server
HTTP/mwc.linux.mydomain...@linux.mydomain.at kvno 4 not found
in keytab; keytab is likely out of date
Fetching the keytab again with ipa-getkeytab fixed the
problem. But why is this happening? Do keytab entries expire?
I have not set any custom password or ticket policies.
You did most likely change the key on the KDC side by running
ipa-getkeytab at some other place. This is what kvno 4 tells you about
-- it is key version number. 4 means there were at least three
different
changes since that original key issuance time already.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org