I cannot see the reply in the web, so, maybe I missed something.
The fact that I need to authenticate in order to retrieve the keytab is obvious.
Maybe in my OP I focused too much on the authentication method, but for me, the most
important issue is the lack of API call (and yes, I plan to submit an RFE for this). The
GSSAPI support is very interesting and I will investigate it further; it looks very
promising.
________________________________
Από: akash rao via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Στάλθηκε: Δευτέρα, 5 Απριλίου 2021 12:12
Προς: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Κοιν.: akash rao <akash.rao.ind(a)gmail.com>
Θέμα: [Freeipa-users] Re: Retrieve service keytab with host keytab authentication?
On 05/04/21 10:11 am, Alexander Bokovoy via FreeIPA-users wrote:
Hi Peter,
On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote:
> My point is that I **don't** want to use the kinit.
You need to be authenticated to use ipa-getkeytab. There are two methods
of authentication available in ipa-getkeytab:
- use of an explicit LDAP bind DN credentials, typically
'cn=Directory Manager'
- use of Kerberos credentials
The latter obeys standard MIT Kerberos environmental variables so
client-initiated keytab-based authentication can be used as well. See
below for references in ansible-freeipa code.
> I also looked in the API Browser and I couldn't find any relevant
> option, so can someone tell me if there is an API call that I could use
> in order to download a keytab?
There is no IPA API call for that. You are talking here to LDAP server,
not to an IPA API end-point.
> If it doesn't, I will create an RFE for this since without an API call,
> we cannot create an ansible module for this.
I don't see how these two are related. Even with an IPA API call you
need authentication to happen first. If you look into ansible-freeipa
code, every module handles situation with missing credentials by calling
for a kinit. This is the same situation: you need to authenticate first
before calling for ipa-getkeytab.
ansible-freeipa already has support for keytab-based initialization
through standard MIT Kerberos environmental variables:
https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8f...
Keytab-based authentication is available with all existing ansible roles
that implement IPA commands because the fallback to check for a keytab
happens in the valid_creds() method. So if you are going to create a new
role based on the existing code, it has already all required support for
keytabs. It even has FreeIPABaseModule helper class to simplify
implementation of new commands that handles authentication automatically
in __enter__() method.
plus one
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure