[Freeipa-users] Απ: Re: Retrieve service keytab with host keytab authentication?

Hi Peter, On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote: > My point is that I **don't** want to use the kinit. You need to be authenticated to use ipa-getkeytab. There are two methods of authentication available in ipa-getkeytab: - use of an explicit LDAP bind DN credentials, typically 'cn=Directory Manager' - use of Kerberos credentials The latter obeys standard MIT Kerberos environmental variables so client-initiated keytab-based authentication can be used as well. See below for references in ansible-freeipa code. > I also looked in the API Browser and I couldn't find any relevant > option, so can someone tell me if there is an API call that I could use > in order to download a keytab? There is no IPA API call for that. You are talking here to LDAP server, not to an IPA API end-point. > If it doesn't, I will create an RFE for this since without an API call, > we cannot create an ansible module for this. I don't see how these two are related. Even with an IPA API call you need authentication to happen first. If you look into ansible-freeipa code, every module handles situation with missing credentials by calling for a kinit. This is the same situation: you need to authenticate first before calling for ipa-getkeytab. ansible-freeipa already has support for keytab-based initialization through standard MIT Kerberos environmental variables: https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8f... Keytab-based authentication is available with all existing ansible roles that implement IPA commands because the fallback to check for a keytab happens in the valid_creds() method. So if you are going to create a new role based on the existing code, it has already all required support for keytabs. It even has FreeIPABaseModule helper class to simplify implementation of new commands that handles authentication automatically in __enter__() method.