Retrieve Existing Keytabs from FreeIPA

August 30, 2022 in memos.

This is a work in progress.

In this example, s1.prod.example.com is a real server and an IPA client. The name ipa.example.com is an alias.

The same process can be repeated to allow additional real hosts to retreive a keytab for ipa.example.com, simply replace s1.prod.example.com with a different hostname.

;; ANSWER SECTION:
ipa.example. 30   IN      CNAME   s1.prod.example.com.
s1.prod.example.com. 124 IN A 203.0.113.88

We need to allow the host(s) access to retreive keytabs for each service.

This can be done from any IPA client or the Web UI. Normally, this will not be ran from the host where keytabs will be retreived, as this operation requires admin access to IPA. These commands will need to be repeated each host needing to retrieve the keytab(s).

$ ipa service-allow-retrieve-keytab HTTP/ipa.example.com \ 
  --hosts=s1.prod.example.com
$ ipa service-allow-retrieve-keytab HTTP/s1.prod.example.com \ 
  --hosts=s1.prod.example.com

In the previous step, we allowed the host to retrieve the keytabs for both service principals.

[root@s1 ~]# kinit -kt /etc/krb5.keytab

Here’s the current keytab used by httpd. Notice that only keys for HTTP/$(hostname) are present.

[root@s1 ~]# klist  -kt /etc/httpd/httpd.keytab
Keytab name: FILE:/etc/httpd/httpd.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 04/06/2022 20:40:24 HTTP/s1.prod.example.com@IPA.EXAMPLE.COM
   1 04/06/2022 20:40:24 HTTP/s1.prod.example.com@IPA.EXAMPLE.COM

Use ipa-getkeytab -r to retrieve the existing keys and save to -k /etc/httpd/httpd.keytab.

/etc/httpd/httpd.keytab Keytab successfully retrieved and stored in:
/etc/httpd/httpd.keytab

And now, the existing keytab had the new keys added to it for the vanity name.

[root@s1 ~]# klist  -kt /etc/httpd/httpd.keytab
Keytab name: FILE:/etc/httpd/httpd.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 04/06/2022 20:40:24 HTTP/s1.prod.example.com@IPA.EXAMPLE.COM
   1 04/06/2022 20:40:24 HTTP/s1.prod.example.com@IPA.EXAMPLE.COM
   1 08/30/2022 18:59:14 HTTP/ipa.example.com@IPA.EXAMPLE.COM
   1 08/30/2022 18:59:14 HTTP/ipa.example.com@IPA.EXAMPLE.COM

Retreiving keytab for host principals

To create keytabs for host principals the process is also very similar.

We will instead used host-allow-retrieve-keytab to allow the hosts access to retreive the keytab(s).

ipa host-allow-retrieve-keytab ipa.example.com --hosts=s1.prod.example.com

Tags: freeipa kerberos