On Wed, Jun 22, 2022 at 5:43 PM Rob Crittenden rcritten@redhat.com wrote:
Serge Krawczenko via FreeIPA-users wrote:
keytab file for user principal ipa-getkeytab -p user@REALM -k keytab.file
in order to initiate it like kinit -kt keytab.file
and they perform ldapsearch -Y or ipa <some-command> from scripts for example
and the questions are: how could ipa-getkeytab corrupt the entire kerberos subsystem? what is the proper way to generate this keytab
Getting a keytab for a user changes their password.
It's hard to know what is going on with so few details. You mentioned scripts, that this affects all users. But you only got a keytab for admin?
So I guess we need to see what you're really executing (have executed) to figure out what is going on.
So no users at all work? How? They can't kinit? They can't use the resulting ticket? Against which services?
rob
OK, let's ignore the fact i've completely broken Kerberos by trying to generate the keytab file Here's the more specific question and humbly awaiting your advice
I had script which was used for years to perform some tasks such as adjusting group membership etc It basically had following stages:
kinit -kt keytab file <user> ldapsearch -Q -Y GSSAPI -h localhost <whatever i want> ipa <some commands>
This keytab file was generated for dedicated user
Obviously, kinit was required for ldap gssapi and ipa commands.
So my question is:
What's the proper way to obtain such a keytab file for my dedicated user so script running under this user could authenticate and be able to perform the listed operations? Asking because I am concerned about breaking something in Kerberos again.
Here's a file used for years for this purpose on the old cluster which hasn't survived:
klist -ket adsync.keytab Keytab name: FILE:adsync.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 4 26.10.17 07:19:37 adsync@<REALM> (aes256-cts-hmac-sha1-96) 4 26.10.17 07:19:37 adsync@<REALM> (aes128-cts-hmac-sha1-96) 4 26.10.17 07:19:37 adsync@<REALM> (des3-cbc-sha1) 4 26.10.17 07:19:37 adsync@<REALM> (arcfour-hmac)
And as i mentioned in the beginning, my attempt to generate the keytab which content actually looked same on fresh IPA deployment had broken something and admin as well as any users lost the ability to authenticate.
With gratitude,