On 2017-09-19 11:24, Alexander Bokovoy wrote:
On ti, 19 syys 2017, Ronald Wimmer wrote:
Why does fetching a keytab influence its version number?
If i have three servers in a load balancer service compound and do a
ipa-getkeytab -k /etc/httpd.keytab -p HTTP/compoundservice.linux.mydomain.at@LINUX.MYDOMAIN.AT
on each of the servers the kvno will be increased with every fetch command leading to invalidating the keytab on the first two servers if I issue the command on the third?
I would really appreciate some clarification here.
ipa-getkeytab by design resets the key. It is documented elsewhere, in the man page for ipa-getkeytab and also in IPA documentation.
If you are on newer IPA version (4.1 or later), its ipa-getkeytab has option '-r' that allows to retrieve existing key if you have enough privileges for that. https://www.freeipa.org/page/V4/Keytab_Retrieval_Management describes this feature.
Thanks a lot for this vital information!
Regards, Ronald