On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:
service principals have never been bound to hosts. The hostname is
just
part of the principal name. It’s not enforced. Pick whatever hostname
you want. (I actually think this is a bug.)
No, this is not really what it is. Service principals are always bound
to a host name but starting with FreeIPA 4.7.0 it is possible to create
service principals that have no host object with the same host name.
So, before FreeIPA 4.7, you needed to do
ipa host-add foo.bar.z
ipa service-add HTTP/foo.bar.z
Since FreeIPA 4.7.0 you can do
ipa service-add HTTP/foo.bar.z --skip-host-check
to create a service principal without managed host. It still would
require foo.bar.z properly mappable to the IPA realm (see
https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/)
but that host doesn't need to exist in IPA.
On Nov 22, 2019, at 2:14 PM, Dmitry Perets
<dmitry.perets@gmail.com<mailto:dmitry.perets@gmail.com>> wrote:
Hi,
Can you please remind me from which IPA version you support service principals not bound
to hosts? I think that would be then a better solution for my case, as I am really using
this user for non-interactive workloads.
And in the meantime, what is the nicest solution for some service that has instances on
multiple hosts? I could of course define separate service principals for each one of them
(e.g.. MYSVC/hostname), but if - for example - they need to read secrets from the same
shared Vault, I then must add all of them as its members. And there are 30 instances...
That is why I thought to let them authenticate with the same principal.
Any solution for this in current version of IPA (4.6)?
---
Regards,
Dmitry Perets
On Fri, 22 Nov 2019, 20:05 Alexander Bokovoy,
<abokovoy@redhat.com<mailto:abokovoy@redhat.com>> wrote:
On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:
>Interesting idea, but seems to require a time machine. The kerberos in
>centos 8 is 1.16. I believe Ubuntu 18 is also.
Actually, I did check of the source code commits in upstream MIT
Kerberos and I attributed it wrongly. '-f' is part of 1.17 release and
'-s' is in 1.16 release. So, it should be in RHEL 8.
>On Nov 22, 2019, at 1:21 PM, Alexander Bokovoy via FreeIPA-users
><freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org><mailto:freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>>
>wrote:
>
>ktutil> add_entry -password -p principal -k kvno -f
>
>The key part here is '-f' which fetches a salt from KDC. Otherwise,
>you'd need to use '-s salt' option to specify a salt manually. Option
>'-f' appeared in MIT 1.18, '-s' in MIT Kerberos 1.17.
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland