Here's how we do it.  
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 

Now we can leverage the keytab for that user principal.
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting     Expires            Service principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
IPA server version 3.0.0. API version 2.49

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"


-----Original Message-----
>From: Roderick Johnstone <>
>Sent: May 5, 2016 12:39 PM
>Subject: [Freeipa-users] Help needed with keytabs
>I need to run some ipa commands in cron jobs.
>The post here: 
>suggests I need to use a keytab file to authenticate kerberos.
>I've tried the prescription there, with variations, without success.
>My current testing framework is to log into the ipa client (RHEL6.7, 
>ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
>destroy the current tickets, re-establish a tgt for the user with kinit 
>using the keytab and try to run an ipa command. The ipa command fails 
>(just like in my cron jobs which use the same kinit command).
>1) Log into ipa client as user test.
>2) Get the keytab
>$ /usr/sbin/ipa-getkeytab -s -p -k 
>/home/test/test.keytab -P
>New Principal Password:
>Verify Principal Password:
>Keytab successfully retrieved and stored in: /home/test/test.keytab
>I seem to have to reset the password to what it was in this step, 
>otherwise it gets set to something random and the user test cannot log 
>into the ipa client any more.
>3) Log into the ipa client as user test. Then
>$ kdestroy
>$ klist
>klist: No credentials cache found (ticket cache 
>4) kinit from the keytab:
>$ kinit -F -k -t /home/test/test.keytab
>5) Check the tickets
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>Default principal:
>Valid starting     Expires            Service principal
>05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/
>6) Run an ipa command:
>$ ipa ping
>ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
>domain='ipa', localedir=None):, 
>Can someone advise what I'm doing wrong in this procedure please (some 
>strings were changed to anonymize the setting)?
>For completeness of information, the ipa servers are RHEL 7.2, 
>Roderick Johnstone
>Manage your subscription for the Freeipa-users mailing list:
>Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to