an inexperienced administrator overwrote the /etc/krb5.keytab on my IDM server. (ugh!)
I had thought ipa-getkeytab was retrieving the keytab, but now see I regenerated it and SHOULD have used the -r flag. ipa-getkeytab(1) IPA Manual Pages ipa-getkeytab(1) NAME ipa-getkeytab - Get a keytab for a Kerberos principal SYNOPSIS ipa-getkeytab -p principal-name -k keytab-file [ -e encryption-types ] [ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password PASSWORD ] [ --cacert CACERT ] [ -H|--ldapuri URI ] [ -Y|--mech GSSAPI|EXTERNAL ] [ -r ] DESCRIPTION Retrieves a Kerberos keytab. -snip- WARNING: retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid. -snip- grant@ef-idm01:/etc[20210302-15:39][#1009]$ ipa-getkeytab -s ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> -p host/ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> -k ~/ef-idm01.krb5.keytab Keytab successfully retrieved and stored in: /home/grant/ef-idm01.krb5.keytab grant@ef-idm01:/etc[20210302-15:40][#1010]$ sudo rsync -av ~/ef-idm01.krb5.keytab /etc/krb5.keytab sending incremental file list ef-idm01.krb5.keytab sent 521 bytes received 31 bytes 1104.00 bytes/sec total size is 418 speedup is 0.76 grant@ef-idm01:/etc[20210302-15:40][#1011]$ ls -al /etc/krb5.keytab -rw------- 1 grant grant 418 Mar 2 15:40 /etc/krb5.keytab grant@ef-idm01:/etc[20210302-15:40][#1012]$ sudo chown root.root /etc/krb5.keytab grant@ef-idm01:/etc[20210302-15:41][#1013]$ What are the possible repercussions of regenerating this keytab? I don’t see any issues. Am I missing anything? thanx - grant
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure