On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote:

I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.

Now I have a Problem to get the Keytab on the second Server

On the first Server I run.

kinit admin
ipa-getkeytab  -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/

This is working

but on the second Server when I start

kinit admin
ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k /etc/

for the same keytab,
I become a Error with not access is possible ?

is this a Bug or a mistake from me ?

AFAIK reading Kerberos keys is a protected operation reserved for root/directory manager only, so you will have to use your Directory manager credentials for that:

ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD
alternatively you can permit your admin user to retrieve the keytab using the following command:

ipa service-allow-retrieve-keytab imap/mail.example.com --users admin


and then run ipa-getkeytab as admin

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to