Here’s an approach that will work if you’re on the kdc. Become root. Run kadmin.local.
ktadd -k XXX.kt -norandkey XXX -rorandley is the equivalent of -r That creates a key table XXX.kt (or adds to if it already exists). No password needed except what you normally do to become root. On Nov 22, 2019, at 3:48 PM, Dmitry Perets <dmitry.per...@gmail.com<mailto:dmitry.per...@gmail.com>> wrote: Oh ok, so I just need to create IPA host and let admin fetch its keytab on all real hosts running the service. Fair enough, thanks! Btw in the meantime I discovered that it is possible to retrieve user's keytab with "ipa-getkeytab -r" if you authenticate as "cn=Directory Manager". Apparently, it has the rights to do this. But the only way then is by specifying its password in command line with "ipa-getkeytab -w" (it doesn't support prompting you securely, like kinit or ldapsearch do). So it is NOT a good idea to do so, unless you then clean up your history etc.... Better not :)
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org