[Freeipa-users] FreeIPA server host keytab was deleted

Tue, 02 Mar 2021 17:31:19 -0800 

an inexperienced administrator overwrote the /etc/krb5.keytab on my IDM server. 
(ugh!)

I had thought ipa-getkeytab was retrieving the keytab, but now see I 
regenerated it and SHOULD have used the -r flag.

ipa-getkeytab(1)                                                                
        IPA Manual Pages                                                        
               ipa-getkeytab(1)

NAME
       ipa-getkeytab - Get a keytab for a Kerberos principal

SYNOPSIS
       ipa-getkeytab  -p  principal-name -k keytab-file [ -e encryption-types ] 
[ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password 
PASSWORD ] [ --cacert CACERT ] [
       -H|--ldapuri URI ] [ -Y|--mech GSSAPI|EXTERNAL ] [ -r ]

DESCRIPTION
       Retrieves a Kerberos keytab.

-snip-
       WARNING: retrieving the keytab resets the secret for the Kerberos 
principal.  This renders all other keytabs for that principal invalid.

-snip-


grant@ef-idm01:/etc[20210302-15:39][#1009]$ ipa-getkeytab -s 
ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> -p 
host/ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> -k 
~/ef-idm01.krb5.keytab
Keytab successfully retrieved and stored in: /home/grant/ef-idm01.krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1010]$ sudo rsync -av 
~/ef-idm01.krb5.keytab /etc/krb5.keytab
sending incremental file list
ef-idm01.krb5.keytab

sent 521 bytes  received 31 bytes  1104.00 bytes/sec
total size is 418  speedup is 0.76
grant@ef-idm01:/etc[20210302-15:40][#1011]$ ls -al /etc/krb5.keytab
-rw------- 1 grant grant 418 Mar  2 15:40 /etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1012]$ sudo chown root.root 
/etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:41][#1013]$

What are the possible repercussions of regenerating this keytab?
I don’t see any issues.  Am I missing anything?

thanx

- grant












_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to