On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote:
Hello,
I found a HowTO on FreeIPA to install a HA Version for a Mailsystem.
Now I have a Problem to get the Keytab on the second Server
On the first Server I run.
kinit admin
ipa-getkeytab -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/
dovecot.keytab
This is working
but on the second Server when I start
kinit admin
ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/
dovecot/dovecot.keytab
for the same keytab,
I become a Error with not access is possible ?
is this a Bug or a mistake from me ?
AFAIK reading Kerberos keys is a protected operation reserved for
root/directory manager only, so you will have to use your Directory
manager credentials for that:
"""
ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k
/etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD
"""
alternatively you can permit your admin user to retrieve the keytab
using the following command:
"""
ipa service-allow-retrieve-keytab imap/mail.example.com --users admin
"""
and then run ipa-getkeytab as admin
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
