Try the following...
# Get admin TGT
# Get keytab for user account
ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab
# Clear tickets
# Request TGT using the keytab
kinit -k -t ./cron_runner.keytab cron_run...@realm.com
# List tickets
I recommend including the username somewhere in the name of the keytab file
itself which makes it easier to remember. Of course be careful with the
permissions on the keytab file, because anyone that has read access to the
keytab can get a TGT as that user.
>From: Matthew Sellers <m...@indigo.nu>
>Sent: Sep 25, 2016 8:37 PM
>Subject: [Freeipa-users] Distributing user keytabs for non-interactive auth
>What is the best way to distribute a 'user' keytab to distribute
>keytabs to allow 'system users' to run scripts with non-interactive
>auth? Is it possible to use the ipa-getkeytab feature ( with "-r"
>option ) to request a keytab for a user principal? I see support for
>HOST and SERVICE keytabs, but nothing specific to user keytabs?
>ipa-getkeytab -s ipa_server -p cron_run...@realm.com -k ipa_cron.keytab -r
>Actual Results ( tried with tgt for cron_runner or admin ):
>[sysadmin@01 ~]$ ipa-getkeytab -s coipa100 -p cron_run...@realm.com
>Failed to parse result: Insufficient access rights
>My only other option is grab the keytab and copy it around after
>initial creation ( understanding that each keytab requests bumps the
>KVNO ). My goal is to make password-less authentication for automated
>processes as easy as possible to setup....ipa-getkeytab seems like its
>Love the work you guys are putting out, its a really cool system.
>Manage your subscription for the Freeipa-users mailing list:
>Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project