12:33 p.m.
Grant Janssen via FreeIPA-users wrote:
an inexperienced administrator overwrote the /etc/krb5.keytab on my
IDM
server. (ugh!)
I had thought ipa-getkeytab was retrieving the keytab, but now see
I regenerated it and SHOULD have used the -r flag.
ipa-getkeytab(1)
IPA Manual Pages
ipa-getkeytab(1)
*NAME*
ipa-getkeytab - Get a keytab for a Kerberos principal
*SYNOPSIS*
ipa-getkeytab *-p* principal-name*-k* keytab-file[ *-e*
encryption-types] [ *-s* ipaserver] [ *-q* ] [ *-D*|*--binddn* BINDDN] [
*-w|--bindpw* ] [ *-P*|*--password* PASSWORD] [ *--cacert* CACERT] [
*-H|--ldapuri* URI] [ *-Y|--mech* GSSAPI|EXTERNAL] [ *-r* ]
*DESCRIPTION*
Retrieves a Kerberos keytab.
-snip-
*WARNING:* retrieving the keytab resets the secret for the
Kerberos principal. This renders all other keytabs for that principal
invalid.
-snip-
grant@ef-idm01:/etc[20210302-15:39][#1009]$ ipa-getkeytab -s
ef-idm01.production.efilm.com <http://ef-idm01.production.efilm.com> -p
host/ef-idm01.production.efilm.com
<http://ef-idm01.production.efilm.com> -k ~/ef-idm01.krb5.keytab
Keytab successfully retrieved and stored in:
/home/grant/ef-idm01.krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1010]$ sudo rsync -av
~/ef-idm01.krb5.keytab /etc/krb5.keytab
sending incremental file list
ef-idm01.krb5.keytab
sent 521 bytes received 31 bytes 1104.00 bytes/sec
total size is 418 speedup is 0.76
grant@ef-idm01:/etc[20210302-15:40][#1011]$ ls -al /etc/krb5.keytab
-rw------- 1 grant grant 418 Mar 2 15:40 /etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1012]$ sudo chown root.root
/etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:41][#1013]$
What are the possible repercussions of regenerating this keytab?
I don’t see any issues. Am I missing anything?
You shouldn't see any issues.
If you have SELinux enabled, and you
should, I'd also run restorecon on the keytab.
rob