OK, so replying to myself - in case someone has the same goal...
Here is the way that I came up with eventually. I really hope this is how it was designed
to be =)
The main culprit is that the IPA service principal must be the _owner_ of the vault. This
point is somehow missing in all the examples that I could find.
Here is the full solution for my problem:
- I create a service account svc-user in FreeIPA. This account is used on the target Linux
host (
server.mydomain.com) just to run my script. No password is set for this account,
it's just a local service account for Linux.
- I then create a service
MYSVC\server.mydomain.com in FreeIPA.
- On the target Linux host, I retrieve a keytab for the service principal only:
kinit admin
ipa-getkeytab -p
MYSVC\server.mydomain.com -k client.keytab
- I copy the keytab to the default Kerberos keytab location for the svc-user. At least on
Centos/RHEL, this will be /var/kerberos/krb5/user/<EUID>/client.keytab, where
<EUID> is the euid of svc-user. Normally, you will have to create this folder (and
first of all learn the euid):
getent passwd svc-user
<Here learn the EUID number>
mkdir /var/kerberos/krb5/user/<EUID>/
chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/
mv client.keytab /var/kerberos/krb5/user/<EUID>/
chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/client.keytab
- Now I create the service vault, store my secret there and (sic!) add my service as an
owner (I show an example with standard vault, but it can be also asymmetric one with
keys...):
kinit admin
ipa vault-add svc-vault --service
MYSVC\server.mydomain.com --type standard
ipa vault-archive svc-vault --service
MYSVC\server.mydomain.com --in mysecret.txt
ipa vault-add-member svc-vault --service
MYSVC\server.mydomain.com --services
MYSVC\server.mydomain.com --no-members
- And NOW my script can obtain Kerberos ticket only for
MYSVC\server.mydomain.com and
actually find the vault. And actually, since the keytab is stored in default location, I
don't even need to do any "kinit" in the script. The IPA CLI will handle it
all automatically. So my script can simply be:
ipa vault-find --services
ipa vault-retrieve svc-vault --service
MYSVC\server.mydomain.com --out mysecret.txt
This solution works, and I find it pretty elegant, because I actually can separate the
Linux service account (svc-user) from the actual service (
MYSVC\server.mydomain.com). So I
can run all my scripts under the same svc-user account on different Linux hosts throughout
my domain, and each script (being a separate service) will see only its own vaults,
because it will only obtain Kerberos ticket for his own IPA service principal. Plus it
seems to happen automatically, if I just put the keytab file under the default
location...
Hopefully, this is how it was intended to be done. I think I like it...
Also hope it will help someone, because the available examples are somehow incomplete...
---
Regards,
Dmitry Perets