Re: [Freeipa-users] Help needed with keytabs
On 5.5.2016 18:39, Roderick Johnstone wrote: > Hi > > I need to run some ipa commands in cron jobs. > > The post here: > https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html > suggests I need to use a keytab file to authenticate kerberos. > > I've tried the prescription there, with variations, without success. > > My current testing framework is to log into the ipa client (RHEL6.7, > ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy > the current tickets, re-establish a tgt for the user with kinit using the > keytab and try to run an ipa command. The ipa command fails (just like in my > cron jobs which use the same kinit command). > > 1) Log into ipa client as user test. > > 2) Get the keytab > $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k > /home/test/test.keytab -P > New Principal Password: > Verify Principal Password: > Keytab successfully retrieved and stored in: /home/test/test.keytab > > I seem to have to reset the password to what it was in this step, otherwise it > gets set to something random and the user test cannot log into the ipa client > any more. > > 3) Log into the ipa client as user test. Then > $ kdestroy > $ klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) > > 4) kinit from the keytab: > $ kinit -F t...@example.com -k -t /home/test/test.keytab > > 5) Check the tickets > $ klist > Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH > Default principal: t...@example.com > > Valid starting ExpiresService principal > 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com > > 6) Run an ipa command: > $ ipa ping > ipa: ERROR: cannot connect to Gettext('any of the configured servers', > domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, > https://ipa2.example.com/ipa/xml > > Can someone advise what I'm doing wrong in this procedure please (some strings > were changed to anonymize the setting)? Kerberos part seems okay but for some reason connection to IPA servers does not work. I would try following commands: $ ipa --debug ping $ curl 'https://ipa1.example.com/ipa/xml' and see what these print out. Petr^2 Spacek > > For completeness of information, the ipa servers are RHEL 7.2, > ipa-server-4.2.0-15.el7_2.6.1.x86_64. > > Thanks > > Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help needed with keytabs
Hi again After further testing, it seems like my problems were caused by the use of the -F option on the kinit line. Roderick On 05/05/2016 22:31, Roderick Johnstone wrote: Hi Mike Thanks for sharing your setup. It looks pretty much like mine. I just tried your kinit command syntax and then I can ipa ping successfully. Then I tried my kinit syntax (after a kdestroy) and I can still ipa ping successfully! So, it does work now, but I don't know why it didn't work for me earlier. It feels like some sort of caching problem but I think kdestroy clears the cache. Thanks again for your help. Roderick On 05/05/2016 19:47, Michael ORourke wrote: Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- From: Roderick Johnstone <r...@ast.cam.ac.uk> Sent: May 5, 2016 12:39 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Help needed with keytabs Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F t...@example.com -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: t...@example.com Valid starting ExpiresService principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help needed with keytabs
Hi Mike Thanks for sharing your setup. It looks pretty much like mine. I just tried your kinit command syntax and then I can ipa ping successfully. Then I tried my kinit syntax (after a kdestroy) and I can still ipa ping successfully! So, it does work now, but I don't know why it didn't work for me earlier. It feels like some sort of caching problem but I think kdestroy clears the cache. Thanks again for your help. Roderick On 05/05/2016 19:47, Michael ORourke wrote: Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- From: Roderick Johnstone <r...@ast.cam.ac.uk> Sent: May 5, 2016 12:39 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Help needed with keytabs Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F t...@example.com -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: t...@example.com Valid starting ExpiresService principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help needed with keytabs
Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_user...@lnx.dr.LOCAL [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_user...@lnx.dr.LOCAL Valid starting ExpiresService principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/lnx.dr.lo...@lnx.dr.LOCAL [root@infrae2u01 ~]# ipa ping -- IPA server version 3.0.0. API version 2.49 -- If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -Original Message- >From: Roderick Johnstone <r...@ast.cam.ac.uk> >Sent: May 5, 2016 12:39 PM >To: freeipa-users@redhat.com >Subject: [Freeipa-users] Help needed with keytabs > >Hi > >I need to run some ipa commands in cron jobs. > >The post here: >https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >suggests I need to use a keytab file to authenticate kerberos. > >I've tried the prescription there, with variations, without success. > >My current testing framework is to log into the ipa client (RHEL6.7, >ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >destroy the current tickets, re-establish a tgt for the user with kinit >using the keytab and try to run an ipa command. The ipa command fails >(just like in my cron jobs which use the same kinit command). > >1) Log into ipa client as user test. > >2) Get the keytab >$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k >/home/test/test.keytab -P >New Principal Password: >Verify Principal Password: >Keytab successfully retrieved and stored in: /home/test/test.keytab > >I seem to have to reset the password to what it was in this step, >otherwise it gets set to something random and the user test cannot log >into the ipa client any more. > >3) Log into the ipa client as user test. Then >$ kdestroy >$ klist >klist: No credentials cache found (ticket cache >FILE:/tmp/krb5cc_3395_PWO4wH) > >4) kinit from the keytab: >$ kinit -F t...@example.com -k -t /home/test/test.keytab > >5) Check the tickets >$ klist >Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >Default principal: t...@example.com > >Valid starting ExpiresService principal >05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com > >6) Run an ipa command: >$ ipa ping >ipa: ERROR: cannot connect to Gettext('any of the configured servers', >domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >https://ipa2.example.com/ipa/xml > >Can someone advise what I'm doing wrong in this procedure please (some >strings were changed to anonymize the setting)? > >For completeness of information, the ipa servers are RHEL 7.2, >ipa-server-4.2.0-15.el7_2.6.1.x86_64. > >Thanks > >Roderick Johnstone > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Help needed with keytabs
Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F t...@example.com -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: t...@example.com Valid starting ExpiresService principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/example@example.com 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project