Spike,
thank you again. I'm aware of the link James supplied and i already tested
it successfully. As I'm doing some research, i just wanted to have a
second/third opinion on how other admins handle the keytab/rotation problem.
Specifically if it is bad practice to have many SPNs on a single
host-object in Active-Directory :)
So it looks like i either have to create unique host/user/objects in AD and
use individual keytab-files for each service, or do the separation in
software with gssproxy.
Stefan
Am Di., 25. Juli 2023 um 15:54 Uhr schrieb Spike White <
spikewhitetx(a)gmail.com>:
Stefan,
From what I'm reading, it looks like James supplied the answer.
gssproxy. This URL:
gssproxy/docs/Apache.md at main · gssapi/gssproxy · GitHub
<
https://github.com/gssapi/gssproxy/blob/main/docs/Apache.md>
seems to demonstrate how to implement this for Apache webserver.
Spike
On Tue, Jul 25, 2023 at 12:50 AM Stefan Bauer <cubewerk(a)gmail.com> wrote:
> Thank you Spike and James for your reply. That was quite helpful.
> Yes i currently do have a single host principal in Active-Directory, that
> has numerous servicePrincipalNames:
> HOST/...
> HTTP/
> SQL/...
>
> for al services, running on this specific host.
>
> So it can not be separated as the only credential for that host is the
> machine account itself. Correct?
>
> Is it bad practice to have additional SPNs on the host principal?
>
> How do you associate and rotate your keytabs for services?
>
> Thank you.
>
> Stefan
>
>
>
> Am Mo., 24. Juli 2023 um 23:14 Uhr schrieb Spike White <
> spikewhitetx(a)gmail.com>:
>
>> I know on a former commercial product I used the monthly machine
>> account credential renewal had a "hook" parameter where you could
specify
>> an executable script to be called. It was designed to work with Samba, so
>> that you could write the samba keytab file without Samba needing to access
>> the /etc/krb5.keytab file.
>>
>> Possibly sssd has such a post-rotate hook parameter as well.
>>
>> That worked great for creating a Samba-viewable credentials.
>>
>> However, it sounds like you're defining SPNs as alternate names for the
>> host principal. I don't see how you could write a HTTP.keytab file or so
>> with entries for HTTP/<service>@<domain> without embedding the
>> credentials for the host principal (under the HTTP/ SPN of course).
>>
>> Spike
>>
>> On Thu, Jul 20, 2023 at 7:38 AM Stefan Bauer <cubewerk(a)gmail.com> wrote:
>>
>>> Dear Users,
>>>
>>> i really love SSSD and also the auto-renewal of the host-keytab file.
>>>
>>> On many hosts we add the SPNs
>>>
>>> HTTP/
>>> SQL/...
>>>
>>> directly to the machine-account in Active-Directory. This is all fine
>>> and works.
>>>
>>> However i have a bad feeling about letting services read the keytab
>>> file as it gives access to the machine-account.
>>>
>>> Opinions?
>>>
>>> How do you handle service keytabs and it's rotation?
>>>
>>> Thank you.
>>>
>>> Stefan
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>> Do not reply to spam, report it:
>>>
https://pagure.io/fedora-infrastructure/new_issue
>>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue