2:22 a.m.
Hello,
When I retrieve a service keytab, what I do is more or less this:
ipa-getkeytab -a admin -P password -s service/client.example.com -k /path/to/keytab
However, the ipa-getkeytab man page mention this:
===========
-Y, --mech
SASL mechanism to use if -D and -w are not specified. Use either GSSAPI or EXTERNAL.
===========
So, if I am not mistaken, that means I can use another keytab in order to download the
service/client.example.com one. Is that true?
And if so, which keytab should I use and how? Because I cannot find an option that goes
along with the -Y GSSAPI.
Thanks
2:43 a.m.
New subject: Retrieve service keytab with host keytab authentication?
On ke, 31 maalis 2021, Peter Tselios via FreeIPA-users wrote:
Hello,
When I retrieve a service keytab, what I do is more or less this:
ipa-getkeytab -a admin -P password -s service/client.example.com -k /path/to/keytab
However, the ipa-getkeytab man page mention this:
===========
-Y, --mech
SASL mechanism to use if -D and -w are not specified. Use either GSSAPI or EXTERNAL.
===========
So, if I am not mistaken, that means I can use another keytab in order to download the
service/client.example.com one. Is that true?
And if so, which keytab should I use and how? Because I cannot find an option that goes
along with the -Y GSSAPI.
It expects that your current credentials cache has valid credentials:
kinit -k -t /path/to/keytab.file
ipa-getkeytab -Y GSSAPI ...
IPA hosts that manage IPA services can re-key their kerberos keys by
default.
If more control is needed, see following IPA CLI commands
(ipa help <command> is useful to get more details):
host-allow-create-keytab Allow users, groups, hosts or host groups to create a
keytab of this host.
host-allow-retrieve-keytab Allow users, groups, hosts or host groups to retrieve a
keytab of this host.
host-disallow-create-keytab Disallow users, groups, hosts or host groups to create a
keytab of this host.
host-disallow-retrieve-keytab Disallow users, groups, hosts or host groups to retrieve
a keytab of this host.
service-allow-create-keytab Allow users, groups, hosts or host groups to create a
keytab of this service.
service-allow-retrieve-keytab Allow users, groups, hosts or host groups to retrieve
a keytab of this service.
service-disallow-create-keytab Disallow users, groups, hosts or host groups to
create a keytab of this service.
service-disallow-retrieve-keytab Disallow users, groups, hosts or host groups to
retrieve a keytab of this service.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4:14 a.m.
New subject: Retrieve service keytab with host keytab authentication?
Hi Alexander and thank you for your answer.
My point is that I **don't** want to use the kinit.
I also looked in the API Browser and I couldn't find any relevant option, so can
someone tell me if there is an API call that I could use in order to download a keytab?
If it doesn't, I will create an RFE for this since without an API call, we cannot
create an ansible module for this.
11:41 p.m.
New subject: Retrieve service keytab with host keytab authentication?
Hi Peter,
On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote:
My point is that I **don't** want to use the kinit.
You need to be authenticated to use ipa-getkeytab. There are two methods
of authentication available in ipa-getkeytab:
- use of an explicit LDAP bind DN credentials, typically 'cn=Directory Manager'
- use of Kerberos credentials
The latter obeys standard MIT Kerberos environmental variables so
client-initiated keytab-based authentication can be used as well. See
below for references in ansible-freeipa code.
I also looked in the API Browser and I couldn't find any relevant
option, so can someone tell me if there is an API call that I could use
in order to download a keytab?
There is no IPA API call for that. You are talking here to LDAP server,
not to an IPA API end-point.
If it doesn't, I will create an RFE for this since without an API
call,
we cannot create an ansible module for this.
I don't see how these two are related. Even with an IPA API call you
need authentication to happen first. If you look into ansible-freeipa
code, every module handles situation with missing credentials by calling
for a kinit. This is the same situation: you need to authenticate first
before calling for ipa-getkeytab.
ansible-freeipa already has support for keytab-based initialization
through standard MIT Kerberos environmental variables:
https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8f...
Keytab-based authentication is available with all existing ansible roles
that implement IPA commands because the fallback to check for a keytab
happens in the valid_creds() method. So if you are going to create a new
role based on the existing code, it has already all required support for
keytabs. It even has FreeIPABaseModule helper class to simplify
implementation of new commands that handles authentication automatically
in __enter__() method.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4:12 a.m.
New subject: Retrieve service keytab with host keytab authentication?
On 05/04/21 10:11 am, Alexander Bokovoy via FreeIPA-users wrote:
Hi Peter,
On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote:
> My point is that I **don't** want to use the kinit.
You need to be authenticated to use ipa-getkeytab. There are two methods
of authentication available in ipa-getkeytab:
- use of an explicit LDAP bind DN credentials, typically
'cn=Directory Manager'
- use of Kerberos credentials
The latter obeys standard MIT Kerberos environmental variables so
client-initiated keytab-based authentication can be used as well. See
below for references in ansible-freeipa code.
> I also looked in the API Browser and I couldn't find any relevant
> option, so can someone tell me if there is an API call that I could use
> in order to download a keytab?
There is no IPA API call for that. You are talking here to LDAP server,
not to an IPA API end-point.
> If it doesn't, I will create an RFE for this since without an API call,
> we cannot create an ansible module for this.
I don't see how these two are related. Even with an IPA API call you
need authentication to happen first. If you look into ansible-freeipa
code, every module handles situation with missing credentials by calling
for a kinit. This is the same situation: you need to authenticate first
before calling for ipa-getkeytab.
ansible-freeipa already has support for keytab-based initialization
through standard MIT Kerberos environmental variables:
https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8f...
Keytab-based authentication is available with all existing ansible roles
that implement IPA commands because the fallback to check for a keytab
happens in the valid_creds() method. So if you are going to create a new
role based on the existing code, it has already all required support for
keytabs. It even has FreeIPABaseModule helper class to simplify
implementation of new commands that handles authentication automatically
in __enter__() method.
plus one
7:45 a.m.
New subject: Απ: Re: Retrieve service keytab with host keytab authentication?
I cannot see the reply in the web, so, maybe I missed something.
The fact that I need to authenticate in order to retrieve the keytab is obvious.
Maybe in my OP I focused too much on the authentication method, but for me, the most
important issue is the lack of API call (and yes, I plan to submit an RFE for this). The
GSSAPI support is very interesting and I will investigate it further; it looks very
promising.
________________________________
Από: akash rao via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Στάλθηκε: Δευτέρα, 5 Απριλίου 2021 12:12
Προς: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Κοιν.: akash rao <akash.rao.ind(a)gmail.com>
Θέμα: [Freeipa-users] Re: Retrieve service keytab with host keytab authentication?
On 05/04/21 10:11 am, Alexander Bokovoy via FreeIPA-users wrote:
Hi Peter,
On su, 04 huhti 2021, Peter Tselios via FreeIPA-users wrote:
> My point is that I **don't** want to use the kinit.
You need to be authenticated to use ipa-getkeytab. There are two methods
of authentication available in ipa-getkeytab:
- use of an explicit LDAP bind DN credentials, typically
'cn=Directory Manager'
- use of Kerberos credentials
The latter obeys standard MIT Kerberos environmental variables so
client-initiated keytab-based authentication can be used as well. See
below for references in ansible-freeipa code.
> I also looked in the API Browser and I couldn't find any relevant
> option, so can someone tell me if there is an API call that I could use
> in order to download a keytab?
There is no IPA API call for that. You are talking here to LDAP server,
not to an IPA API end-point.
> If it doesn't, I will create an RFE for this since without an API call,
> we cannot create an ansible module for this.
I don't see how these two are related. Even with an IPA API call you
need authentication to happen first. If you look into ansible-freeipa
code, every module handles situation with missing credentials by calling
for a kinit. This is the same situation: you need to authenticate first
before calling for ipa-getkeytab.
ansible-freeipa already has support for keytab-based initialization
through standard MIT Kerberos environmental variables:
https://github.com/freeipa/ansible-freeipa/commit/09ab29b4e70649155d43e8f...
Keytab-based authentication is available with all existing ansible roles
that implement IPA commands because the fallback to check for a keytab
happens in the valid_creds() method. So if you are going to create a new
role based on the existing code, it has already all required support for
keytabs. It even has FreeIPABaseModule helper class to simplify
implementation of new commands that handles authentication automatically
in __enter__() method.
plus one
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1110
days inactive
1115
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
akash rao -
Alexander Bokovoy -
Peter Tselios