Hello,
I am attempting to setup apache behind a load balancer and have setup the necessary host and DNS entry to represent a virtual host. I also have added the ACL to pull and also create the ticket.
I am however unable to run ipa-getkeytab with the -r flag. If I remove the flag, I get the ticket fine from both systems. What could I have overlooked. I have gone through the exercise twice with the same result. Below is what I am currently seeing.
william@ansible ~]$ ssh root@lithium Last login: Wed Mar 7 15:57:59 2018 from cacti.eng.example.com ^[[A[root@lithium ~]# ipa service-find temp30.eng.example.com ----------------- 1 service matched ----------------- Principal name: http/temp30.eng.example.com@ENG.EXAMPLE.COM Principal alias: http/temp30.eng.example.com@ENG.EXAMPLE.COM Keytab: True Hosts allowed to retrieve keytab: temp20.eng.example.com, temp21.eng.example.com ---------------------------- Number of entries returned 1 ---------------------------- [root@lithium ~]#
[root@temp20 ~]# ipa-getkeytab -r -s lithium.eng.example.com -p http/temp30.eng.example.com -k /etc/httpd/conf.d/httpd.keytab Failed to parse result: Insufficient access rights
Failed to get keytab [root@temp20 ~]# ipa-getkeytab -s lithium.eng.example.com -p http/temp30.eng.example.com -k /etc/httpd/conf.d/httpd.keytab Keytab successfully retrieved and stored in: /etc/httpd/conf.d/httpd.keytab [root@temp20 ~]#
Regards, William
On 03/08/2018 02:30 AM, William Muriithi via FreeIPA-users wrote:
Hello,
I am attempting to setup apache behind a load balancer and have setup the necessary host and DNS entry to represent a virtual host. I also have added the ACL to pull and also create the ticket.
I am however unable to run ipa-getkeytab with the -r flag. If I remove the flag, I get the ticket fine from both systems. What could I have overlooked. I have gone through the exercise twice with the same result. Below is what I am currently seeing.
Hi,
a user needs specific access rights in order to retrieve a keytab, which are different from those needed to create a keytab. You can perform the ipa-getkeytab command as cn=Directory manager with the option ipa-getkeytab --retrieve -D "cn=directory manager" -w $password ...
HTH, Flo
william@ansible ~]$ ssh root@lithium Last login: Wed Mar 7 15:57:59 2018 from cacti.eng.example.com ^[[A[root@lithium ~]# ipa service-find temp30.eng.example.com
1 service matched
Principal name: http/temp30.eng.example.com@ENG.EXAMPLE.COM Principal alias: http/temp30.eng.example.com@ENG.EXAMPLE.COM Keytab: True Hosts allowed to retrieve keytab: temp20.eng.example.com, temp21.eng.example.com
Number of entries returned 1
[root@lithium ~]#
[root@temp20 ~]# ipa-getkeytab -r -s lithium.eng.example.com -p http/temp30.eng.example.com -k /etc/httpd/conf.d/httpd.keytab Failed to parse result: Insufficient access rights
Failed to get keytab [root@temp20 ~]# ipa-getkeytab -s lithium.eng.example.com -p http/temp30.eng.example.com -k /etc/httpd/conf.d/httpd.keytab Keytab successfully retrieved and stored in: /etc/httpd/conf.d/httpd.keytab [root@temp20 ~]#
Regards, William _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
William Muriithi