Grant Janssen via FreeIPA-users wrote: > an inexperienced administrator overwrote the /etc/krb5.keytab on my IDM > server. (ugh!) > > I had thought ipa-getkeytab was retrieving the keytab, but now see > I regenerated it and SHOULD have used the -r flag. > > ipa-getkeytab(1) > IPA Manual Pages > ipa-getkeytab(1) > > *NAME* > ipa-getkeytab - Get a keytab for a Kerberos principal > > *SYNOPSIS* > ipa-getkeytab *-p* principal-name*-k* keytab-file[ *-e* > encryption-types] [ *-s* ipaserver] [ *-q* ] [ *-D*|*--binddn* BINDDN] [ > *-w|--bindpw* ] [ *-P*|*--password* PASSWORD] [ *--cacert* CACERT] [ > *-H|--ldapuri* URI] [ *-Y|--mech* GSSAPI|EXTERNAL] [ *-r* ] > > *DESCRIPTION* > Retrieves a Kerberos keytab. > > -snip- > *WARNING:* retrieving the keytab resets the secret for the > Kerberos principal. This renders all other keytabs for that principal > invalid. > > -snip- > > > grant@ef-idm01:/etc[20210302-15:39][#1009]$ ipa-getkeytab -s > ef-idm01.production.efilm.com <http://ef-idm01.production.efilm.com> -p > host/ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com> -k ~/ef-idm01.krb5.keytab > Keytab successfully retrieved and stored in: > /home/grant/ef-idm01.krb5.keytab > grant@ef-idm01:/etc[20210302-15:40][#1010]$ sudo rsync -av > ~/ef-idm01.krb5.keytab /etc/krb5.keytab > sending incremental file list > ef-idm01.krb5.keytab > > sent 521 bytes received 31 bytes 1104.00 bytes/sec > total size is 418 speedup is 0.76 > grant@ef-idm01:/etc[20210302-15:40][#1011]$ ls -al /etc/krb5.keytab > -rw------- 1 grant grant 418 Mar 2 15:40 /etc/krb5.keytab > grant@ef-idm01:/etc[20210302-15:40][#1012]$ sudo chown root.root > /etc/krb5.keytab > grant@ef-idm01:/etc[20210302-15:41][#1013]$ > > > > What are the possible repercussions of regenerating this keytab? > I don’t see any issues. Am I missing anything? You shouldn't see any issues. If you have SELinux enabled, and you should, I'd also run restorecon on the keytab.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure