On 5.5.2016 18:39, Roderick Johnstone wrote:
> I need to run some ipa commands in cron jobs.
> The post here:
> suggests I need to use a keytab file to authenticate kerberos.
> I've tried the prescription there, with variations, without success.
> My current testing framework is to log into the ipa client (RHEL6.7,
> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy
> the current tickets, re-establish a tgt for the user with kinit using the
> keytab and try to run an ipa command. The ipa command fails (just like in my
> cron jobs which use the same kinit command).
> 1) Log into ipa client as user test.
> 2) Get the keytab
> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
> /home/test/test.keytab -P
> New Principal Password:
> Verify Principal Password:
> Keytab successfully retrieved and stored in: /home/test/test.keytab
> I seem to have to reset the password to what it was in this step, otherwise it
> gets set to something random and the user test cannot log into the ipa client
> any more.
> 3) Log into the ipa client as user test. Then
> $ kdestroy
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH)
> 4) kinit from the keytab:
> $ kinit -F t...@example.com -k -t /home/test/test.keytab
> 5) Check the tickets
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
> Default principal: t...@example.com
> Valid starting Expires Service principal
> 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example....@example.com
> 6) Run an ipa command:
> $ ipa ping
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> Can someone advise what I'm doing wrong in this procedure please (some strings
> were changed to anonymize the setting)?
Kerberos part seems okay but for some reason connection to IPA servers does
I would try following commands:
$ ipa --debug ping
$ curl 'https://ipa1.example.com/ipa/xml'
and see what these print out.
> For completeness of information, the ipa servers are RHEL 7.2,
> Roderick Johnstone
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project