Thanks for the reply. I did use this originally when deploying my
'kerberized' service on my first host. What I am trying to do is use
ipa-getkeytab for keytab distribution on say...100 hosts, without
having to copy around keytabs from host to host.
Since using ipa-getkeytab without the '-r' option just creates a new
keytab with bumped KVNO ..and.. when I do use '-r' I recieve a message
for 'Insufficient access rights' I am still fuzzy....
Can ipa-getkeytab be used for mass distribution of user keytabs with
the -r option?
On Sun, Sep 25, 2016 at 9:03 PM, Michael ORourke
> Try the following...
> # Get admin TGT
> kinit ad...@realm.com
> # Get keytab for user account
> ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab
> # Clear tickets
> # Request TGT using the keytab
> kinit -k -t ./cron_runner.keytab cron_run...@realm.com
> # List tickets
> I recommend including the username somewhere in the name of the keytab file
> itself which makes it easier to remember. Of course be careful with the
> permissions on the keytab file, because anyone that has read access to the
> keytab can get a TGT as that user.
> -----Original Message-----
>>From: Matthew Sellers <m...@indigo.nu>
>>Sent: Sep 25, 2016 8:37 PM
>>Subject: [Freeipa-users] Distributing user keytabs for non-interactive auth
>>What is the best way to distribute a 'user' keytab to distribute
>>keytabs to allow 'system users' to run scripts with non-interactive
>>auth? Is it possible to use the ipa-getkeytab feature ( with "-r"
>>option ) to request a keytab for a user principal? I see support for
>>HOST and SERVICE keytabs, but nothing specific to user keytabs?
>>ipa-getkeytab -s ipa_server -p cron_run...@realm.com -k ipa_cron.keytab -r
>>Actual Results ( tried with tgt for cron_runner or admin ):
>>[sysadmin@01 ~]$ ipa-getkeytab -s coipa100 -p cron_run...@realm.com
>>Failed to parse result: Insufficient access rights
>>My only other option is grab the keytab and copy it around after
>>initial creation ( understanding that each keytab requests bumps the
>>KVNO ). My goal is to make password-less authentication for automated
>>processes as easy as possible to setup....ipa-getkeytab seems like its
>>Love the work you guys are putting out, its a really cool system.
>>Manage your subscription for the Freeipa-users mailing list:
>>Go to http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project