an inexperienced administrator overwrote the /etc/krb5.keytab on my IDM server. (ugh!)
I had thought ipa-getkeytab was retrieving the keytab, but now see I regenerated it and
SHOULD have used the -r flag.
ipa-getkeytab(1)
IPA Manual Pages
ipa-getkeytab(1)
NAME
ipa-getkeytab - Get a keytab for a Kerberos principal
SYNOPSIS
ipa-getkeytab -p principal-name -k keytab-file [ -e encryption-types ] [ -s
ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password PASSWORD ] [
--cacert CACERT ] [
-H|--ldapuri URI ] [ -Y|--mech GSSAPI|EXTERNAL ] [ -r ]
DESCRIPTION
Retrieves a Kerberos keytab.
-snip-
WARNING: retrieving the keytab resets the secret for the Kerberos principal. This
renders all other keytabs for that principal invalid.
-snip-
grant@ef-idm01:/etc[20210302-15:39][#1009]$ ipa-getkeytab -s
ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> -p
host/ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com> -k
~/ef-idm01.krb5.keytab
Keytab successfully retrieved and stored in: /home/grant/ef-idm01.krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1010]$ sudo rsync -av ~/ef-idm01.krb5.keytab
/etc/krb5.keytab
sending incremental file list
ef-idm01.krb5.keytab
sent 521 bytes received 31 bytes 1104.00 bytes/sec
total size is 418 speedup is 0.76
grant@ef-idm01:/etc[20210302-15:40][#1011]$ ls -al /etc/krb5.keytab
-rw------- 1 grant grant 418 Mar 2 15:40 /etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:40][#1012]$ sudo chown root.root /etc/krb5.keytab
grant@ef-idm01:/etc[20210302-15:41][#1013]$
What are the possible repercussions of regenerating this keytab?
I don’t see any issues. Am I missing anything?
thanx
- grant
Show replies by date