Red Hat Summit16.4. Retrieve Existing Keytabs for Multiple Servers
In some scenarios, like in a cluster environment, the same keytab file is required for a service represented on one common host name by different machines. IdM commands can be used to retrieve the same keytab on each of the hosts.
To prepare the common host name and the service principal, run the following commands on an IdM server:
- Authenticate as
adminuser:kinit admin
[root@ipaserver ~]# kinit adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add a common forward DNS record for all IP addresses that share this host name:
ipa dnsrecord-add idm.example.com cluster --a-rec={192.0.2.40,192.0.2.41}[root@ipaserver ~]# ipa dnsrecord-add idm.example.com cluster --a-rec={192.0.2.40,192.0.2.41} Record name: cluster A record: 192.0.2.40, 192.0.2.41Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create a new host entry object for the common DNS name:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the service principal for the host:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the hosts to the service, that should be able to retrieve the keytab from IdM:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Grant permission to create a new keytab to one host:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
On the clients, follow these steps:
- Authenticate with the hosts Kerberos keytab:
kinit -kt /etc/krb5.keytab
# kinit -kt /etc/krb5.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow - On the client you granted the respective permission to, generate a new keytab and store it in a file:
ipa-getkeytab -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytab
[root@node01 ~]# ipa-getkeytab -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow - On all other clients, retrieve the existing keytab from the IdM server by adding the
-roption to the command:ipa-getkeytab -r -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytab
[root@node02 ~]# ipa-getkeytab -r -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow WarningBe aware that if you omit the-roption, a new keytab will be generated. This invalidates all previously retrieved keytabs for this service principal.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}