On 5.5.2016 18:39, Roderick Johnstone wrote: > Hi > > I need to run some ipa commands in cron jobs. > > The post here: > https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html > suggests I need to use a keytab file to authenticate kerberos. > > I've tried the prescription there, with variations, without success. > > My current testing framework is to log into the ipa client (RHEL6.7, > ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy > the current tickets, re-establish a tgt for the user with kinit using the > keytab and try to run an ipa command. The ipa command fails (just like in my > cron jobs which use the same kinit command). > > 1) Log into ipa client as user test. > > 2) Get the keytab > $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p [email protected] -k > /home/test/test.keytab -P > New Principal Password: > Verify Principal Password: > Keytab successfully retrieved and stored in: /home/test/test.keytab > > I seem to have to reset the password to what it was in this step, otherwise it > gets set to something random and the user test cannot log into the ipa client > any more. > > 3) Log into the ipa client as user test. Then > $ kdestroy > $ klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) > > 4) kinit from the keytab: > $ kinit -F [email protected] -k -t /home/test/test.keytab > > 5) Check the tickets > $ klist > Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH > Default principal: [email protected] > > Valid starting Expires Service principal > 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/[email protected] > > 6) Run an ipa command: > $ ipa ping > ipa: ERROR: cannot connect to Gettext('any of the configured servers', > domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, > https://ipa2.example.com/ipa/xml > > Can someone advise what I'm doing wrong in this procedure please (some strings > were changed to anonymize the setting)?
Kerberos part seems okay but for some reason connection to IPA servers does not work. I would try following commands: $ ipa --debug ping $ curl 'https://ipa1.example.com/ipa/xml' and see what these print out. Petr^2 Spacek > > For completeness of information, the ipa servers are RHEL 7.2, > ipa-server-4.2.0-15.el7_2.6.1.x86_64. > > Thanks > > Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
