I know on a former commercial product I used the monthly machine account credential renewal had a "hook" parameter where you could specify an executable script to be called. It was designed to work with Samba, so that you could write the samba keytab file without Samba needing to access the /etc/krb5.keytab file.

Possibly sssd has such a post-rotate hook parameter as well.

That worked great for creating a Samba-viewable credentials.

However, it sounds like you're defining SPNs as alternate names for the host principal. I don't see how you could write a HTTP.keytab file or so with entries for HTTP/<service>@<domain> without embedding the credentials for the host principal (under the HTTP/ SPN of course).

Spike

On Thu, Jul 20, 2023 at 7:38 AM Stefan Bauer <cubewerk@gmail.com> wrote:

Dear Users,

i really love SSSD and also the auto-renewal of the host-keytab file.

On many hosts we add the SPNs

HTTP/
SQL/...

directly to the machine-account in Active-Directory. This is all fine and works.

However i have a bad feeling about letting services read the keytab file as it gives access to the machine-account.

Opinions?

How do you handle service keytabs and it's rotation?

Thank you.

Stefan
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue