On Wed, Jun 22, 2022 at 5:43 PM Rob Crittenden <rcritten@redhat.com> wrote:
Serge Krawczenko via FreeIPA-users wrote:
> keytab file for user principal
> ipa-getkeytab -p user@REALM -k keytab.file
>
> in order to initiate it like
> kinit -kt keytab.file
>
> and they perform ldapsearch -Y or ipa <some-command> from scripts for
> example
>
> and the questions are:
> how could ipa-getkeytab corrupt the entire kerberos subsystem?
> what is the proper way to generate this keytab

Getting a keytab for a user changes their password.

It's hard to know what is going on with so few details. You mentioned
scripts, that this affects all users. But you only got a keytab for admin?

So I guess we need to see what you're really executing (have executed)
to figure out what is going on.

So no users at all work? How? They can't kinit? They can't use the
resulting ticket? Against which services?

rob

OK, let's ignore the fact i've completely broken Kerberos by trying to generate the keytab file
Here's the more specific question and humbly awaiting your advice

I had script which was used for years to perform some tasks such as adjusting group membership etc
It basically had following stages:

kinit -kt keytab file <user>
ldapsearch -Q -Y GSSAPI -h localhost  <whatever i want>
ipa <some commands>

This keytab file was generated for dedicated user

Obviously, kinit was required for ldap gssapi and ipa commands.

So my question is:

What's the proper way to obtain such a keytab file for my dedicated user so script running under this user
could authenticate and be able to perform the listed operations?
Asking because I am concerned about breaking something in Kerberos again.

Here's a file used for years for this purpose on the old cluster which hasn't survived:

klist -ket adsync.keytab
Keytab name: FILE:adsync.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   4 26.10.17 07:19:37 adsync@<REALM> (aes256-cts-hmac-sha1-96)
   4 26.10.17 07:19:37 adsync@<REALM> (aes128-cts-hmac-sha1-96)
   4 26.10.17 07:19:37 adsync@<REALM> (des3-cbc-sha1)
   4 26.10.17 07:19:37 adsync@<REALM> (arcfour-hmac) 


And as i mentioned in the beginning, my attempt to generate the keytab which content actually looked
same on fresh IPA deployment had broken something and admin as well as any users lost the ability to
authenticate.

With gratitude,