On su, 12 joulu 2021, Steven Jones via FreeIPA-users wrote:
No help off Dell/EMC, they have no idea.
No help off Redhat despite initial promises some years ago when we
looked at IPA/IdM.
Now setting up a "proper" MIT Kerberos Realm, if RH wont engage with
vendors as promised to us its rather self-defeating with an "AD"
nothing can talk to.
If Dell/EMC product runs kadmin requests, that can only be fixed on
their product side.
kadmin interface is not supported for operations with FreeIPA/RHEL IdM
for many reasons, most importantly, due to a lack of proper separation of
the access rights inside kadmind -- an information about who is running
kadmin operation is not passed through to the database driver so the
driver cannot perform these operations under an intended principal
identity. As a result, all authorized kadmin requests are done as
cn=Directory Manager identity which is what KDB driver is using itself.
This is why in FreeIPA by default we don't map any kadmin acces based
principal to a valid Kerberos identity because anyone impersonating that
principal will be effectively a super admin.
I feel your pain. Looking into my archives, there were roughly 3-4
requests on how to integrate with Dell/EMC products during past decade
on this mailing list. I am not aware of any enhancement request filed to
Dell/EMC that we can refer to. Please note that a feature enhancement is
different than a support request that you have refered above as 'they
have no idea'.
🙁
regards
Steven
________________________________
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Sent: Thursday, 2 December 2021 4:48 am
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Steven Jones <steven.jones(a)vuw.ac.nz>
Subject: Re: [Freeipa-users] Re: EMC Isilon and IPA - Kerberos
On ke, 01 joulu 2021, Steven Jones via FreeIPA-users wrote:
>>Is there a command in Isilon toolset that allows you to import a keytab
>>generated by other means?
>
>Seems not. We have asked EMC/Dell and no reply so far.
>
>Looking at standing up a MNIT Kerberos server and then see if I can do
>a 1 way trust to IPA which in turn has a one way trust to AD, but that
>is getting really messy.
I'd suggest you to follow up to EMC/Dell first. There are parts that
will not work with raw MIT Kerberos 'trust' to IPA deployment anymore,
from IPA side. This is related to the set of changes we did recently in
response to Microsoft's November 2021 security release. Eventually this
will find its way to production environments and EMC/Dell will have to
handle that too.
>
>🙁
>
>
>regards
>
>Steven
>
>________________________________
>From: Alexander Bokovoy <abokovoy(a)redhat.com>
>Sent: Wednesday, 1 December 2021 2:43 AM
>To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>Cc: thing.thing(a)gmail.com <thing.thing(a)gmail.com>
>Subject: Re: [Freeipa-users] EMC Isilon and IPA - Kerberos
>
>On ti, 30 marras 2021, thing.thing--- via FreeIPA-users wrote:
>>I have the Isilon talking to IPA for LDAP. What I cannot yet do is run the
Isilon command to make kerberos work.
>>
>>=====
>>tststocoiso-1# kinit admin(a)ODSTEST.VUWTEST.AC.NZ
>>Password for admin(a)ODSTEST.VUWTEST.AC.NZ:
>>tststocoiso-1# klist
>>Ticket cache: FILE:/tmp/krb5cc_0
>>Default principal: admin(a)ODSTEST.VUWTEST.AC.NZ
>>
>>
>>
>>Valid starting Expires Service principal
>>11/30/21 16:44:56 12/01/21 16:10:10
krbtgt/ODSTEST.VUWTEST.AC.NZ(a)ODSTEST.VUWTEST.AC.NZ
>>tststocoiso-1# isi auth krb5 spn fix --provider-name=ODSTEST.VUWTEST.AC.NZ
--user=admin
>>password:
>>Attempting to add missing SPNs:
>>HTTP/tststocoisnfs01.odstest.vuwtest.ac.nz(a)ODSTEST.VUWTEST.AC.NZ
>>hdfs/tststocoisnfs01.odstest.vuwtest.ac.nz(a)ODSTEST.VUWTEST.AC.NZ
>>host/tststocoisnfs01.odstest.vuwtest.ac.nz(a)ODSTEST.VUWTEST.AC.NZ
>>nfs/tststocoisnfs01.odstest.vuwtest.ac.nz(a)ODSTEST.VUWTEST.AC.NZ
>>Failed to join realm: (LW_ERROR_KADM5_AUTH_ADD) Operation requires ``add''
privilege
>>tststocoiso-1#
>>====
>>
>>What is the add privilege? how do I grant it to admin?
>
> From what you are showing, I can gather that Isilon has own utility to
>join Kerberos realms by using kadmin. FreeIPA does not really allow use
>of kadmin over the network because there is an issue with audit of the
>operations done through kadmin: every operation comes into a database
>layer and is executed there under same 'super user' identity
>(cn=Directory Manager). As a result, there are no default ACLs which
>allow kadmin write access to any IPA Kerberos principal, including admin.
>
>Additionally, FreeIPA does not follow Active Directory approach with
>SPNs being aliases to the same machine account. It means if you were to
>create HTTP/.., hdfs/.., host/.., nfs/.. principals in IPA for the
>Isilon's host with IPA tools (ipa host-add ... and ipa service-add ...
>commands), they would operate on different accounts. This is not
>something that Windows-oriented tools expect.
>
>Is there a command in Isilon toolset that allows you to import a keytab
>generated by other means?
>
>Are these Isilon tools open source?
>
>
>--
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland