On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote:
Hello,

I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.

Now I have a Problem to get the Keytab on the second Server

On the first Server I run.

kinit admin
ipa-getkeytab  -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/
dovecot.keytab

This is working

but on the second Server when I start

kinit admin
ipa-getkeytab   -r  -s ipa.example.com -p imap/mail.example.com -k /etc/
dovecot/dovecot.keytab

for the same keytab,
I become a Error with not access is possible ?

is this a Bug or a mistake from me ?


AFAIK reading Kerberos keys is a protected operation reserved for root/directory manager only, so you will have to use your Directory manager credentials for that:

"""
ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD
"""
alternatively you can permit your admin user to retrieve the keytab using the following command:

"""
ipa service-allow-retrieve-keytab imap/mail.example.com --users admin

"""

and then run ipa-getkeytab as admin

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to