[Freeipa-users] Re: Unable to retrieve ticket despite setting the adding the system on allow list

Thu, 08 Mar 2018 00:03:13 -0800 

On 03/08/2018 02:30 AM, William Muriithi via FreeIPA-users wrote:

Hello,

I am attempting to setup apache behind a load balancer and have setup
the necessary host and DNS entry to represent a virtual host.  I also
have added the ACL to pull and also create the ticket.

I am however unable to run ipa-getkeytab with the -r flag.  If I
remove the flag, I get the ticket fine from both systems.  What could
I have overlooked.  I have gone through the exercise twice with the
same result.  Below is what I am currently seeing.


Hi,
a user needs specific access rights in order to retrieve a keytab, which are different from those needed to create a keytab. You can perform the ipa-getkeytab command as cn=Directory manager with the option 
ipa-getkeytab --retrieve -D "cn=directory manager" -w $password ...

HTH,
Flo


william@ansible ~]$ ssh root@lithium
Last login: Wed Mar  7 15:57:59 2018 from cacti.eng.example.com
^[[A[root@lithium ~]# ipa service-find temp30.eng.example.com
-----------------
1 service matched
-----------------
   Principal name: http/temp30.eng.example....@eng.example.com
   Principal alias: http/temp30.eng.example....@eng.example.com
   Keytab: True
   Hosts allowed to retrieve keytab: temp20.eng.example.com,
temp21.eng.example.com
----------------------------
Number of entries returned 1
----------------------------
[root@lithium ~]#


[root@temp20 ~]# ipa-getkeytab -r -s lithium.eng.example.com -p
http/temp30.eng.example.com -k /etc/httpd/conf.d/httpd.keytab
Failed to parse result: Insufficient access rights

Failed to get keytab
[root@temp20 ~]# ipa-getkeytab  -s lithium.eng.example.com -p
http/temp30.eng.example.com -k /etc/httpd/conf.d/httpd.keytab
Keytab successfully retrieved and stored in: /etc/httpd/conf.d/httpd.keytab
[root@temp20 ~]#

Regards,
William
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to