Red Hat Summit29.2. Rekeying Kerberos Principals
Rekeying a Kerberos principal adds a new keytab entry with a higher key version number (KVNO) to the principal's keytab. The original entry remains in the keytab, but is no longer used to issue tickets.
- Find all keytabs issued within the required time period. For example, the following commands use the
ldapsearchutility to display all host and service principals created between midnight on January 1, 2016, and 11:59 PM on December 31, 2016 in Greenwich Mean Time (GMT):ldapsearch -x -b "cn=computers,cn=accounts,dc=example,dc=com" "(&(krblastpwdchange>=20160101000000)(krblastpwdchange<=20161231235959))" dn krbprincipalname
# ldapsearch -x -b "cn=computers,cn=accounts,dc=example,dc=com" "(&(krblastpwdchange>=20160101000000)(krblastpwdchange<=20161231235959))" dn krbprincipalnameCopy to Clipboard Copied! Toggle word wrap Toggle overflow ldapsearch -x -b "cn=services,cn=accounts,dc=example,dc=com" "(&(krblastpwdchange>=20160101000000)(krblastpwdchange<=20161231235959))" dn krbprincipalname
# ldapsearch -x -b "cn=services,cn=accounts,dc=example,dc=com" "(&(krblastpwdchange>=20160101000000)(krblastpwdchange<=20161231235959))" dn krbprincipalnameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - The searchbase (
-b) defines the subtree whereldapsearchlooks for the principals:- Host principals are stored under the cn=computers,cn=accounts,dc=example,dc=com subtree.
- Service principals are stored under the cn=services,cn=accounts,dc=example,dc=com subtree.
- The
krblastpwdchangeparameter filters the search results by the last change date. The parameter accepts the YYYYMMDD format for the date and the HHMMSS format for the time of day in GMT. - Specifying the
dnandkrbprincipalnameattributes limits the search results to the entry name and principal.
- For every service and host that requires rekeying the principal, use the
ipa-getkeytabutility to retrieve a new keytab entry. Pass the following options:--principal(-p) to specify the principal--keytab(-k) to specify the location of the original keytab--server(-s) to specify the Identity Management server host name
For example:- To rekey a host principal with its keytab in the default location of
/etc/krb5.keytab:ipa-getkeytab -p host/client.example.com@EXAMPLE.COM -s server.example.com -k /etc/krb5.keytab
# ipa-getkeytab -p host/client.example.com@EXAMPLE.COM -s server.example.com -k /etc/krb5.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow - To rekey the keytab for the Apache service in the default location of
/etc/httpd/conf/ipa.keytab:ipa-getkeytab -p HTTP/client.example.com@EXAMPLE.COM -s server.example.com -k /etc/httpd/conf/ipa.keytab
# ipa-getkeytab -p HTTP/client.example.com@EXAMPLE.COM -s server.example.com -k /etc/httpd/conf/ipa.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantSome services, such as NFS version 4, support only a limited set of encryption types. Pass the appropriate arguments to the ipa-getkeytab command to configure the keytab properly.
- Optional. Verify that you rekeyed the principals successfully. Use the
klistutility to list all Kerberos tickets. For example, to list all keytab entries in/etc/krb5.keytab:Copy to Clipboard Copied! Toggle word wrap Toggle overflow The output shows that the keytab entry forclient.example.comwas rekeyed with a higher KVNO. The original keytab still exists in the database with the previous KVNO.Tickets issued against the earlier keytab continue to work, while new tickets are issued using the key with the highest KVNO. This avoids any disruption to system operations.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}