Hey Mike,

Thanks for the reply.  I did use this originally when deploying my
'kerberized' service on my first host.   What I am trying to do is use
ipa-getkeytab for keytab distribution on say...100 hosts, without
having to copy around keytabs from host to host.

Since using ipa-getkeytab without the '-r' option just creates a new
keytab with bumped KVNO ..and.. when I do use '-r' I recieve a message
for 'Insufficient access rights' I am still fuzzy....

Can ipa-getkeytab be used for mass distribution of user keytabs with
the -r option?

Thanks Again!
Matt



On Sun, Sep 25, 2016 at 9:03 PM, Michael ORourke
<mrorou...@earthlink.net> wrote:
> Matt,
>
> Try the following...
>
> # Get admin TGT
> kinit ad...@realm.com
>
> # Get keytab for user account
> ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab
>
> # Clear tickets
> kdestroy
>
> # Request TGT using the keytab
> kinit -k -t ./cron_runner.keytab cron_run...@realm.com
>
> # List tickets
> klist
>
> I recommend including the username somewhere in the name of the keytab file 
> itself which makes it easier to remember.  Of course be careful with the 
> permissions on the keytab file, because anyone that has read access to the 
> keytab can get a TGT as that user.
>
> -Mike
>
> -----Original Message-----
>>From: Matthew Sellers <m...@indigo.nu>
>>Sent: Sep 25, 2016 8:37 PM
>>To: freeipa-users@redhat.com
>>Subject: [Freeipa-users] Distributing user keytabs for non-interactive auth   
>> question
>>
>>Hi Guys,
>>
>>What is the best way to distribute a 'user' keytab to distribute
>>keytabs to allow 'system users' to run scripts with non-interactive
>>auth?  Is it possible to use the ipa-getkeytab feature ( with "-r"
>>option ) to request a keytab for a user principal?  I see support for
>>HOST and SERVICE keytabs, but nothing specific to user  keytabs?
>>
>>Concept Example:
>>
>>ipa-getkeytab -s ipa_server -p cron_run...@realm.com -k ipa_cron.keytab -r
>>KRB5_KTNAME=ipa_cron.keytab service.py
>>
>>Actual Results ( tried with tgt for cron_runner or admin ):
>>
>>[sysadmin@01 ~]$ ipa-getkeytab -s coipa100 -p cron_run...@realm.com
>>-kipa_cron.keytab -r
>>Failed to parse result: Insufficient access rights
>>
>>My only other option is grab the keytab and copy it around after
>>initial creation ( understanding that each keytab requests bumps the
>>KVNO ).  My goal is to make password-less authentication for automated
>>processes as easy as possible to setup....ipa-getkeytab seems like its
>>almost there?
>>
>>Love the work you guys are putting out, its a really cool system.
>>
>>Thanks,
>>Matt
>>
>>--
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to