On ke, 31 maalis 2021, Peter Tselios via FreeIPA-users wrote:
Hello,
When I retrieve a service keytab, what I do is more or less this:
ipa-getkeytab -a admin -P password -s
service/client.example.com -k /path/to/keytab
However, the ipa-getkeytab man page mention this:
===========
-Y, --mech
SASL mechanism to use if -D and -w are not specified. Use either GSSAPI or EXTERNAL.
===========
So, if I am not mistaken, that means I can use another keytab in order to download the
service/client.example.com one. Is that true?
And if so, which keytab should I use and how? Because I cannot find an option that goes
along with the -Y GSSAPI.
It expects that your current credentials cache has valid credentials:
kinit -k -t /path/to/keytab.file
ipa-getkeytab -Y GSSAPI ...
IPA hosts that manage IPA services can re-key their kerberos keys by
default.
If more control is needed, see following IPA CLI commands
(ipa help <command> is useful to get more details):
host-allow-create-keytab Allow users, groups, hosts or host groups to create a
keytab of this host.
host-allow-retrieve-keytab Allow users, groups, hosts or host groups to retrieve a
keytab of this host.
host-disallow-create-keytab Disallow users, groups, hosts or host groups to create a
keytab of this host.
host-disallow-retrieve-keytab Disallow users, groups, hosts or host groups to retrieve
a keytab of this host.
service-allow-create-keytab Allow users, groups, hosts or host groups to create a
keytab of this service.
service-allow-retrieve-keytab Allow users, groups, hosts or host groups to retrieve
a keytab of this service.
service-disallow-create-keytab Disallow users, groups, hosts or host groups to
create a keytab of this service.
service-disallow-retrieve-keytab Disallow users, groups, hosts or host groups to
retrieve a keytab of this service.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland