On 04/26/2012 10:58 PM, David Copperfield wrote:
> Just have a silly case where I've to download the existing version
> keytab for a service principal. It is download only -- not recreate a
> new version and download the new version which ipa-getkeytab does. --
> ipa-getkeytab command name seems a little bit misleading because it
> does both 'set' and 'get' operations.
> I've overheard that there is way to get it from underlying 389
> directory server but not sure how to do it. Any one please shed a
> light on this? Similarly, how to download a host certificate form
> Dogtag because 'ipa-getcert request' also resetting it -- I may be
> wrong and so please feel free to correct me :); or how about a user
> principal's keytab from 389 too? Thanks a lot.
Is it a one time operation? If so you can use ldapsearch utility. The
object that will have ipaHost object class in IPA. You can use a
Directory Manager credential to authenticate.
I suggest you do it on the server and then deliver the key and the cert
I thought that there was a flag for ipa-getkeytab to fetch existing key
but my knowledge in this area is rusty. Same with the cert.
May be someone else would chime in.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list