On to, 03 marras 2022, Ronald Wimmer via FreeIPA-users wrote:
> On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote:
>> Ronald Wimmer wrote:
>>> On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote:
>>>>
>>>> Hello Ronald,
>>>>
>>>> Ronald Wimmer via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
>>>> writes:
>>>>
>>>>> On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote:
>>>>>> Ronald Wimmer via FreeIPA-users wrote:
>>>>>>> In order to integrate our AIX clients we do have to take two
steps
>>>>>>> manually:
>>>>>>>
>>>>>>> 1) Enrolling the host
>>>>>>> 2) Fetching the keytab file for this particular host
>>>>>>>
>>>>>>> A quick search in the WebGUIs API browser revealed a
host_add
>>>>>>> method but
>>>>>>> I cannot find a method for fetching a keytab file. Did I
miss
>>>>>>> something
>>>>>>> here?
>>>>>> There is no IPA API to retrieve a keytab[1]. You should use
>>>>>> ipa-getkeytab.
>>>>>
>>>>> There is no ipa-getkeytab on AIX. So I need to fetch an IPA
client's
>>>>> keytab from LDAP, right?
>>>>
>>>> I'd do the following:
>>>>
>>>> 1. Enroll the host in freeipa:
>>>> ipa host-add
aix.example.org --ip-address=192.168.30.x
>>>> 2. Allow my user to create a keytab:
>>>> ipa host-allow-create-keytab
aix.example.org --users=jochen
>>>> 3. get the keytab:
>>>> ipa-getkeytab -p
host/aix.jochen.org -k aix.keytab
>>>> Keytab successfully retrieved and stored in: aix.keytab
>>>> 4. Transfer the keytab to the AIX host
>>>
>>> Thanks Jochen! I am trying to automate these steps. AIX colleagues
>>> are a
>>> separate team and do not have the possibility to use ipa commands on a
>>> linux machine at the moment.
>>>
>>> What I need is a possibility to enroll a host and fetch its keytab
>>> comlpletely without ipa commands and manual interaction so that the AIX
>>> guys can do that themselves.
>>
>> Jochen outlined the recommended way to handle non-Linux OS's. If you
>> want to do it from AIX then you'll need to build ipa-getkeytab on AIX.
>
> Is the keytab file generated on demand or does it reside somewhere in
> the LDAP tree?
>
> Just for my understanding... why is there no API way to fetch the
> keytab file?
There is an API and it is provided through the ipa-getkeytab tool. It
uses secure mechanism we developed on top of 389-ds LDAP server access
controls, not HTTPS server to reduce number of parties who might get
hold of the Kerberos keys to be transferred. Remember that a keytab is
simply a file containing a bunch of Kerberos keys. Each key can be
considered a form of a password, from usage point of view. The less
hands touch it, the better.
Thanks for clarifying this matter!
Building ipa-getkeytab on AIX will most likely result in some kind of
nightmare. What would you consider as the most feasible way to enroll an
AIX host and fetch its keytab in an automated manner? (We could provide
our AIX guys with an IPA client machine so that all IPA commands would
be available there...)
Cheers,
Ronald