Hi Guys,

What is the best way to distribute a 'user' keytab to distribute
keytabs to allow 'system users' to run scripts with non-interactive
auth?  Is it possible to use the ipa-getkeytab feature ( with "-r"
option ) to request a keytab for a user principal?  I see support for
HOST and SERVICE keytabs, but nothing specific to user  keytabs?

Concept Example:

ipa-getkeytab -s ipa_server -p cron_run...@realm.com -k ipa_cron.keytab -r
KRB5_KTNAME=ipa_cron.keytab service.py

Actual Results ( tried with tgt for cron_runner or admin ):

[sysadmin@01 ~]$ ipa-getkeytab -s coipa100 -p cron_run...@realm.com
-kipa_cron.keytab -r
Failed to parse result: Insufficient access rights

My only other option is grab the keytab and copy it around after
initial creation ( understanding that each keytab requests bumps the
KVNO ).  My goal is to make password-less authentication for automated
processes as easy as possible to setup....ipa-getkeytab seems like its
almost there?

Love the work you guys are putting out, its a really cool system.

Thanks,
Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to