I cannot see the reply in the web, so, maybe I missed something.

The fact that I need to authenticate in order to retrieve the keytab is obvious.
Maybe in my OP I focused too much on the authentication method, but for me, the most important issue is the lack of API call (and yes, I plan to submit an RFE for this). The GSSAPI support is very interesting and I will investigate it further; it looks very promising.

Από: akash rao via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Στάλθηκε: Δευτέρα, 5 Απριλίου 2021 12:12
Προς: freeipa-users@lists.fedorahosted.org <freeipa-users@lists.fedorahosted.org>
Κοιν.: akash rao <akash.rao.ind@gmail.com>
Θέμα: [Freeipa-users] Re: Retrieve service keytab with host keytab authentication?
 

On 05/04/21 10:11 am, Alexander Bokovoy via FreeIPA-users wrote:
> Hi Peter,
>
> On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote:
>> My point is that I **don't** want to use the kinit.
>
> You need to be authenticated to use ipa-getkeytab. There are two methods
> of authentication available in ipa-getkeytab:
>
>  - use of an explicit LDAP bind DN credentials, typically
> 'cn=Directory Manager'
>
>  - use of Kerberos credentials
>
> The latter obeys standard MIT Kerberos environmental variables so
> client-initiated keytab-based authentication can be used as well. See
> below for references in ansible-freeipa code.
>
>> I also looked in the API Browser and I couldn't find any relevant
>> option, so can someone tell me if there is an API call that I could use
>> in order to download a keytab?
>
> There is no IPA API call for that. You are talking here to LDAP server,
> not to an IPA API end-point.
>
>> If it doesn't, I will create an RFE for this since without an API call,
>> we cannot create an ansible module for this.
>
> I don't see how these two are related. Even with an IPA API call you
> need authentication to happen first. If you look into ansible-freeipa
> code, every module handles situation with missing credentials by calling
> for a kinit. This is the same situation: you need to authenticate first
> before calling for ipa-getkeytab.
>
> ansible-freeipa already has support for keytab-based initialization
> through standard MIT Kerberos environmental variables:
>
> https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8fe8c0f511b7ff1f1fc
>
>
> Keytab-based authentication is available with all existing ansible roles
> that implement IPA commands because the fallback to check for a keytab
> happens in the valid_creds() method. So if you are going to create a new
> role based on the existing code, it has already all required support for
> keytabs. It even has FreeIPABaseModule helper class to simplify
> implementation of new commands that handles authentication automatically
> in __enter__() method.
>
>
plus one
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure