Show Table of Contents
16.4. Retrieve Existing Keytabs for Multiple Servers
In some scenarios, like in a cluster environment, the same keytab file is required for a service represented on one common host name by different machines. IdM commands can be used to retrieve the same keytab on each of the hosts.
To prepare the common host name and the service principal, run the following commands on an IdM server:
- Authenticate as
adminuser:[root@ipaserver ~]# kinit admin
- Add a common forward DNS record for all IP addresses that share this host name:
[root@ipaserver ~]# ipa dnsrecord-add idm.example.com cluster --a-rec={192.0.2.40,192.0.2.41} Record name: cluster A record: 192.0.2.40, 192.0.2.41 - Create a new host entry object for the common DNS name:
[root@ipaserver ~]# ipa host-add cluster.idm.example.com ------------------------------------ Added host "cluster.idm.example.com" ------------------------------------ Host name: cluster.idm.example.com Principal name: host/cluster.idm.example.com@IDM.EXAMPLE.COM Password: False Keytab: False Managed by: cluster.idm.example.com
- Add the service principal for the host:
[root@ipaserver ~]# ipa service-add HTTP/cluster.idm.example.com ------------------------------------------------------------ Added service "HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM" ------------------------------------------------------------ Principal: HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM Managed by: cluster.idm.example.com
- Add the hosts to the service, that should be able to retrieve the keytab from IdM:
[root@ipaserver ~]# ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com --hosts={node01.idm.example.com,node02.idm.example.com} Principal: HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM Managed by: cluster.idm.example.com Hosts allowed to retrieve keytab: node01.idm.example.com, node02.idm.example.com ------------------------- Number of members added 2 ------------------------- - Grant permission to create a new keytab to one host:
[root@ipaserver ~]# ipa service-allow-create-keytab HTTP/cluster.idm.example.com --hosts=node01.idm.example.com Principal: HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM Managed by: cluster.idm.example.com Hosts allowed to retrieve keytab: node01.idm.example.com, node02.idm.example.com Hosts allowed to create keytab: node01.idm.example.com ------------------------- Number of members added 1 -------------------------
On the clients, follow these steps:
- Authenticate with the hosts Kerberos keytab:
# kinit -kt /etc/krb5.keytab
- On the client you granted the respective permission to, generate a new keytab and store it in a file:
[root@node01 ~]# ipa-getkeytab -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytab
- On all other clients, retrieve the existing keytab from the IdM server by adding the
-roption to the command:[root@node02 ~]# ipa-getkeytab -r -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytab
Warning
Be aware that if you omit the-roption, a new keytab will be generated. This invalidates all previously retrieved keytabs for this service principal.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.