Is there a command in Isilon toolset that allows you to import a keytab
generated by other means?

Seems not.  We have asked EMC/Dell and no reply so far.

Looking at standing up a MNIT Kerberos server and then see if I can do a 1 way trust to IPA which in turn has a one way trust to AD, but that is getting really messy.

🙁

regards

Steven 

From: Alexander Bokovoy <abokovoy@redhat.com>
Sent: Wednesday, 1 December 2021 2:43 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: thing.thing@gmail.com <thing.thing@gmail.com>
Subject: Re: [Freeipa-users] EMC Isilon and IPA - Kerberos
 
On ti, 30 marras 2021, thing.thing--- via FreeIPA-users wrote:
>I have the Isilon talking to IPA for LDAP.   What I cannot yet do is run the Isilon command to make kerberos work.
>
>=====
>tststocoiso-1# kinit admin@ODSTEST.VUWTEST.AC.NZ
>Password for admin@ODSTEST.VUWTEST.AC.NZ:
>tststocoiso-1# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: admin@ODSTEST.VUWTEST.AC.NZ
>
>
>
>Valid starting Expires Service principal
>11/30/21 16:44:56 12/01/21 16:10:10 krbtgt/ODSTEST.VUWTEST.AC.NZ@ODSTEST.VUWTEST.AC.NZ
>tststocoiso-1# isi auth krb5 spn fix --provider-name=ODSTEST.VUWTEST.AC.NZ --user=admin
>password:
>Attempting to add missing SPNs:
>HTTP/tststocoisnfs01.odstest.vuwtest.ac.nz@ODSTEST.VUWTEST.AC.NZ
>hdfs/tststocoisnfs01.odstest.vuwtest.ac.nz@ODSTEST.VUWTEST.AC.NZ
>host/tststocoisnfs01.odstest.vuwtest.ac.nz@ODSTEST.VUWTEST.AC.NZ
>nfs/tststocoisnfs01.odstest.vuwtest.ac.nz@ODSTEST.VUWTEST.AC.NZ
>Failed to join realm: (LW_ERROR_KADM5_AUTH_ADD) Operation requires ``add'' privilege
>tststocoiso-1#
>====
>
>What is the add privilege?  how do I grant it to admin?

 From what you are showing, I can gather that Isilon has own utility to
join Kerberos realms by using kadmin. FreeIPA does not really allow use
of kadmin over the network because there is an issue with audit of the
operations done through kadmin: every operation comes into a database
layer and is executed there under same 'super user' identity
(cn=Directory Manager). As a result, there are no default ACLs which
allow kadmin write access to any IPA Kerberos principal, including admin.

Additionally, FreeIPA does not follow Active Directory approach with
SPNs being aliases to the same machine account. It means if you were to
create HTTP/.., hdfs/.., host/.., nfs/.. principals in IPA for the
Isilon's host with IPA tools (ipa host-add ... and ipa service-add ...
commands), they would operate on different accounts. This is not
something that Windows-oriented tools expect.

Is there a command in Isilon toolset that allows you to import a keytab
generated by other means?

Are these Isilon tools open source?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland