Hi,
Sorry, I am probably missing something very basic in the way how the vault should work for services...
So my task is simple: let's say I want to store a secret for a script. That is, the script must be able to retrieve it in an unattended way. The script is running on a Linux server server.mydomain.com, which is enrolled in FreeIPA domain. The script is running under user "svc-user" which I've created on the FreeIPA just for that (so, its principal is svc-user@MYDOMAIN.COM). Additionally, I've also created a service "MYSVC" on the FreeIPA (so I now also have the principal MYSVC\server.mydomain.com@MYDOMAIN.COM). Finally, I did not set any password for the user "svc-user" and I've configured its shell to be /sbin/nologin. Not sure if it will make any difference.
And now, with all this ready, I am trying to store my secret as admin, so that my script can retrieve it.
I create a vault (I tried also standard one, but here I am showing an example with asymmetrical one, because all examples I found use it):
kinit admin <Entering password for admin>
ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type asymmetric --public-key-file svc.pub.pem ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --data <secret_data_in_base64>
OK, secret is stored. And here is my vault:
# ipa vault-find --services --------------- 1 vault matched --------------- Vault name: svc-vault Type: asymmetric Vault service: MYSVC\server.mydomain.com@MYDOMAIN.COM ---------------------------- Number of entries returned 1 ----------------------------
Finally, I generate a keytab for my script:
ipa-getkeytab -p MYSVC\server.mydomain.com -k /var/kerberos/krb5/user/856500016/client.keytab
OK... now I clean up with "kdestroy" and try to run my script as a user "svc-user". And the script is trying to do this:
kinit MYSVC\server.mydomain.com -k -t /var/kerberos/krb5/user/856500016/client.keytab klist ipa vault-find --services
... And the problem is that it simply doesn't find the svc-vault. It does seem like it manages to get the Kerberos ticket, this is the output from klist (inside the script):
Default principal: MYSVC\server.mydomain.com@MYDOMAIN.COM
Valid starting Expires Service principal 02/27/2019 17:04:58 02/28/2019 17:04:58 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
Now... If I add the user "svc-user" as a member to my svc-vault, add the svc-user to the keytab and then use "kinit svc-user" in my script, then it seems to work. But I don't understand then the whole point of "service vault"... what's the purpose of the MYSVC/server.mydomain.com principle here actually...?
And another question - can't exactly the same (with "svc-user" in keytab) work also for a standard vault, without keys...? Because it looks like it becomes exactly the same usecase as if I just interactively use the vault shared with svc-user...
Thanks!
OK, so replying to myself - in case someone has the same goal...
Here is the way that I came up with eventually. I really hope this is how it was designed to be =) The main culprit is that the IPA service principal must be the _owner_ of the vault. This point is somehow missing in all the examples that I could find.
Here is the full solution for my problem:
- I create a service account svc-user in FreeIPA. This account is used on the target Linux host (server.mydomain.com) just to run my script. No password is set for this account, it's just a local service account for Linux. - I then create a service MYSVC\server.mydomain.com in FreeIPA.
- On the target Linux host, I retrieve a keytab for the service principal only: kinit admin ipa-getkeytab -p MYSVC\server.mydomain.com -k client.keytab
- I copy the keytab to the default Kerberos keytab location for the svc-user. At least on Centos/RHEL, this will be /var/kerberos/krb5/user/<EUID>/client.keytab, where <EUID> is the euid of svc-user. Normally, you will have to create this folder (and first of all learn the euid): getent passwd svc-user <Here learn the EUID number>
mkdir /var/kerberos/krb5/user/<EUID>/ chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/ mv client.keytab /var/kerberos/krb5/user/<EUID>/ chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/client.keytab
- Now I create the service vault, store my secret there and (sic!) add my service as an owner (I show an example with standard vault, but it can be also asymmetric one with keys...): kinit admin ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type standard ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --in mysecret.txt ipa vault-add-member svc-vault --service MYSVC\server.mydomain.com --services MYSVC\server.mydomain.com --no-members
- And NOW my script can obtain Kerberos ticket only for MYSVC\server.mydomain.com and actually find the vault. And actually, since the keytab is stored in default location, I don't even need to do any "kinit" in the script. The IPA CLI will handle it all automatically. So my script can simply be:
ipa vault-find --services ipa vault-retrieve svc-vault --service MYSVC\server.mydomain.com --out mysecret.txt
This solution works, and I find it pretty elegant, because I actually can separate the Linux service account (svc-user) from the actual service (MYSVC\server.mydomain.com). So I can run all my scripts under the same svc-user account on different Linux hosts throughout my domain, and each script (being a separate service) will see only its own vaults, because it will only obtain Kerberos ticket for his own IPA service principal. Plus it seems to happen automatically, if I just put the keytab file under the default location...
Hopefully, this is how it was intended to be done. I think I like it... Also hope it will help someone, because the available examples are somehow incomplete...
--- Regards, Dmitry Perets
freeipa-users@lists.fedorahosted.org