On Thu, Jun 23, 2022 at 5:07 PM Christian Heimes via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 23/06/2022 13.30, Serge Krawczenko via FreeIPA-users wrote:
kinit -kt keytab file <user> ldapsearch -Q -Y GSSAPI -h localhost <whatever i want> ipa <some commands>
This keytab file was generated for dedicated user
Obviously, kinit was required for ldap gssapi and ipa commands.
Actually kinit is not needed.
Any GSSAPI-enabled client can automatically acquire or refresh a TGT by other means. For example if you set the environment variable KRB5_CLIENT_KTNAME=/path/to/keytab then ldapsearch and ipa will acquire TGT for the first principal in the keytab if needed.
For extra security you can use gss-proxy and let it handle the keytab for you. You need a mapping (e.g. map keytab to effective uid) and set the env var GSS_USE_PROXY=yes for the command.
Christian
Surprising but true. When logged in via sssd, proper TGT seems to be activated and ipa/ldapsearch work. Just minor clarification:
ldapsearch operates properly with `hostname` but not localhost With localhost i'm getting GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/localhost@<REALM> not found in Kerberos database) Any actions needed to enable ldap/localhost principal?
This is for better understanding rather than practical use.
Great thanks.