Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab
Now we can leverage the keytab for that user principal. Example: [root@infrae2u01 ~]# kdestroy [root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab [email protected] [root@infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/[email protected] [root@infrae2u01 ~]# ipa ping ------------------------------------------ IPA server version 3.0.0. API version 2.49 ------------------------------------------ If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -----Original Message----- >From: Roderick Johnstone <[email protected]> >Sent: May 5, 2016 12:39 PM >To: [email protected] >Subject: [Freeipa-users] Help needed with keytabs > >Hi > >I need to run some ipa commands in cron jobs. > >The post here: >https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >suggests I need to use a keytab file to authenticate kerberos. > >I've tried the prescription there, with variations, without success. > >My current testing framework is to log into the ipa client (RHEL6.7, >ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >destroy the current tickets, re-establish a tgt for the user with kinit >using the keytab and try to run an ipa command. The ipa command fails >(just like in my cron jobs which use the same kinit command). > >1) Log into ipa client as user test. > >2) Get the keytab >$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p [email protected] -k >/home/test/test.keytab -P >New Principal Password: >Verify Principal Password: >Keytab successfully retrieved and stored in: /home/test/test.keytab > >I seem to have to reset the password to what it was in this step, >otherwise it gets set to something random and the user test cannot log >into the ipa client any more. > >3) Log into the ipa client as user test. Then >$ kdestroy >$ klist >klist: No credentials cache found (ticket cache >FILE:/tmp/krb5cc_3395_PWO4wH) > >4) kinit from the keytab: >$ kinit -F [email protected] -k -t /home/test/test.keytab > >5) Check the tickets >$ klist >Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >Default principal: [email protected] > >Valid starting Expires Service principal >05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/[email protected] > >6) Run an ipa command: >$ ipa ping >ipa: ERROR: cannot connect to Gettext('any of the configured servers', >domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >https://ipa2.example.com/ipa/xml > >Can someone advise what I'm doing wrong in this procedure please (some >strings were changed to anonymize the setting)? > >For completeness of information, the ipa servers are RHEL 7.2, >ipa-server-4.2.0-15.el7_2.6.1.x86_64. > >Thanks > >Roderick Johnstone > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
