subject:"\[Freeipa\-users\] Help needed with keytabs"

Re: [Freeipa-users] Help needed with keytabs

2016-05-06 Thread Petr Spacek

On 5.5.2016 18:39, Roderick Johnstone wrote:
> Hi
> 
> I need to run some ipa commands in cron jobs.
> 
> The post here:
> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
> suggests I need to use a keytab file to authenticate kerberos.
> 
> I've tried the prescription there, with variations, without success.
> 
> My current testing framework is to log into the ipa client (RHEL6.7,
> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy
> the current tickets, re-establish a tgt for the user with kinit using the
> keytab and try to run an ipa command. The ipa command fails (just like in my
> cron jobs which use the same kinit command).
> 
> 1) Log into ipa client as user test.
> 
> 2) Get the keytab
> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
> /home/test/test.keytab -P
> New Principal Password:
> Verify Principal Password:
> Keytab successfully retrieved and stored in: /home/test/test.keytab
> 
> I seem to have to reset the password to what it was in this step, otherwise it
> gets set to something random and the user test cannot log into the ipa client
> any more.
> 
> 3) Log into the ipa client as user test. Then
> $ kdestroy
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH)
> 
> 4) kinit from the keytab:
> $ kinit -F t...@example.com -k -t /home/test/test.keytab
> 
> 5) Check the tickets
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
> Default principal: t...@example.com
> 
> Valid starting ExpiresService principal
> 05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
> 
> 6) Run an ipa command:
> $ ipa ping
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> https://ipa2.example.com/ipa/xml
> 
> Can someone advise what I'm doing wrong in this procedure please (some strings
> were changed to anonymize the setting)?

Kerberos part seems okay but for some reason connection to IPA servers does
not work.

I would try following commands:
$ ipa --debug ping
$ curl 'https://ipa1.example.com/ipa/xml'

and see what these print out.

Petr^2 Spacek

> 
> For completeness of information, the ipa servers are RHEL 7.2,
> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
> 
> Thanks
> 
> Roderick Johnstone

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Roderick Johnstone


Hi again

After further testing, it seems like my problems were caused by the use 
of the -F option on the kinit line.


Roderick

On 05/05/2016 22:31, Roderick Johnstone wrote:

Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping
successfully. Then I tried my kinit syntax (after a kdestroy) and I can
still ipa ping successfully!

So, it does work now, but I don't know why it didn't work for me
earlier. It feels like some sort of caching problem but I think kdestroy
clears the cache.

Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:


Roderick,

Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere
secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to
switch user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-

From: Roderick Johnstone <r...@ast.cam.ac.uk>
Sent: May 5, 2016 12:39 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Help needed with keytabs

Hi

I need to run some ipa commands in cron jobs.

The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7,
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
destroy the current tickets, re-establish a tgt for the user with kinit
using the keytab and try to run an ipa command. The ipa command fails
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step,
otherwise it gets set to something random and the user test cannot log
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2,
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Roderick Johnstone


Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping 
successfully. Then I tried my kinit syntax (after a kdestroy) and I can 
still ipa ping successfully!


So, it does work now, but I don't know why it didn't work for me 
earlier. It feels like some sort of caching problem but I think kdestroy 
clears the cache.


Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:


Roderick,

Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-

From: Roderick Johnstone <r...@ast.cam.ac.uk>
Sent: May 5, 2016 12:39 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Help needed with keytabs

Hi

I need to run some ipa commands in cron jobs.

The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7,
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
destroy the current tickets, re-establish a tgt for the user with kinit
using the keytab and try to run an ipa command. The ipa command fails
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step,
otherwise it gets set to something random and the user test cannot log
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2,
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

2016-05-05 Thread Michael ORourke


Roderick,

Here's how we do it.  
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-
>From: Roderick Johnstone <r...@ast.cam.ac.uk>
>Sent: May 5, 2016 12:39 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] Help needed with keytabs
>
>Hi
>
>I need to run some ipa commands in cron jobs.
>
>The post here: 
>https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
>suggests I need to use a keytab file to authenticate kerberos.
>
>I've tried the prescription there, with variations, without success.
>
>My current testing framework is to log into the ipa client (RHEL6.7, 
>ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
>destroy the current tickets, re-establish a tgt for the user with kinit 
>using the keytab and try to run an ipa command. The ipa command fails 
>(just like in my cron jobs which use the same kinit command).
>
>1) Log into ipa client as user test.
>
>2) Get the keytab
>$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k 
>/home/test/test.keytab -P
>New Principal Password:
>Verify Principal Password:
>Keytab successfully retrieved and stored in: /home/test/test.keytab
>
>I seem to have to reset the password to what it was in this step, 
>otherwise it gets set to something random and the user test cannot log 
>into the ipa client any more.
>
>3) Log into the ipa client as user test. Then
>$ kdestroy
>$ klist
>klist: No credentials cache found (ticket cache 
>FILE:/tmp/krb5cc_3395_PWO4wH)
>
>4) kinit from the keytab:
>$ kinit -F t...@example.com -k -t /home/test/test.keytab
>
>5) Check the tickets
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>Default principal: t...@example.com
>
>Valid starting ExpiresService principal
>05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
>
>6) Run an ipa command:
>$ ipa ping
>ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
>domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
>https://ipa2.example.com/ipa/xml
>
>Can someone advise what I'm doing wrong in this procedure please (some 
>strings were changed to anonymize the setting)?
>
>For completeness of information, the ipa servers are RHEL 7.2, 
>ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>
>Thanks
>
>Roderick Johnstone
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Help needed with keytabs

2016-05-05 Thread Roderick Johnstone


Hi

I need to run some ipa commands in cron jobs.

The post here: 
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
suggests I need to use a keytab file to authenticate kerberos.


I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7, 
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
destroy the current tickets, re-establish a tgt for the user with kinit 
using the keytab and try to run an ipa command. The ipa command fails 
(just like in my cron jobs which use the same kinit command).


1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k 
/home/test/test.keytab -P

New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step, 
otherwise it gets set to something random and the user test cannot log 
into the ipa client any more.


3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache 
FILE:/tmp/krb5cc_3395_PWO4wH)


4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
https://ipa2.example.com/ipa/xml


Can someone advise what I'm doing wrong in this procedure please (some 
strings were changed to anonymize the setting)?


For completeness of information, the ipa servers are RHEL 7.2, 
ipa-server-4.2.0-15.el7_2.6.1.x86_64.


Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

Re: [Freeipa-users] Help needed with keytabs

Re: [Freeipa-users] Help needed with keytabs

Re: [Freeipa-users] Help needed with keytabs

[Freeipa-users] Help needed with keytabs

5 matches

Site Navigation

Mail list logo

Footer information