keytab file for user principal ipa-getkeytab -p user@REALM -k keytab.file
in order to initiate it like kinit -kt keytab.file
and they perform ldapsearch -Y or ipa <some-command> from scripts for example
and the questions are: how could ipa-getkeytab corrupt the entire kerberos subsystem? what is the proper way to generate this keytab
thank you
On Tue, Jun 21, 2022 at 6:51 PM Rob Crittenden rcritten@redhat.com wrote:
skrawczenko--- via FreeIPA-users wrote:
Hello again.
I gave up restoring certificates as discussed in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
While i had to recover the service and rescue data at any cost
So my decision was probably wrong but i didn't have options I deployed RedHat instead of CentOS and then deployed fresh IPA 4.9.8
Then i migrated directory from the old cluster excluding kerberos
fields and some service accounts/groups
Rebuilt DNS etc
Initially everything was good at least users, groups and credentials
were saved.
But further configuration resulted some troubles. Briefly, i can't run
commands as admin and anyone else
kinit admin Password for admin@<REALM> [root@idm0 ~]# klist Ticket cache: KCM:0 Default principal: admin@<REALM>
Valid starting Expires Service principal 06/20/22 07:42:19 06/21/22 06:42:23 krbtgt/<REALM>@<REALM>
[root@idm0 ~]# ipa user-show admin ipa: ERROR: cannot connect to 'https://idm0...../ipa/session/json':
Exceeded number of tries to forward a request.
kinit <any other user>
ipa user-show <any other user> ipa: ERROR: Insufficient access: Invalid credentials
and /var/log/httpd/error.log has ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credential
What could be broken? This happened while i was trying to generate a
keytab for kinit -kt <file> scripts...
You got a keytab for what? A user, service, other?
rob