Hi,
Sorry, I am probably missing something very basic in the way how the vault should work for services...
So my task is simple: let's say I want to store a secret for a script. That is, the script must be able to retrieve it in an unattended way. The script is running on a Linux server server.mydomain.com, which is enrolled in FreeIPA domain. The script is running under user "svc-user" which I've created on the FreeIPA just for that (so, its principal is svc-user@MYDOMAIN.COM). Additionally, I've also created a service "MYSVC" on the FreeIPA (so I now also have the principal MYSVC\server.mydomain.com@MYDOMAIN.COM). Finally, I did not set any password for the user "svc-user" and I've configured its shell to be /sbin/nologin. Not sure if it will make any difference.
And now, with all this ready, I am trying to store my secret as admin, so that my script can retrieve it.
I create a vault (I tried also standard one, but here I am showing an example with asymmetrical one, because all examples I found use it):
kinit admin <Entering password for admin>
ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type asymmetric --public-key-file svc.pub.pem ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --data <secret_data_in_base64>
OK, secret is stored. And here is my vault:
# ipa vault-find --services --------------- 1 vault matched --------------- Vault name: svc-vault Type: asymmetric Vault service: MYSVC\server.mydomain.com@MYDOMAIN.COM ---------------------------- Number of entries returned 1 ----------------------------
Finally, I generate a keytab for my script:
ipa-getkeytab -p MYSVC\server.mydomain.com -k /var/kerberos/krb5/user/856500016/client.keytab
OK... now I clean up with "kdestroy" and try to run my script as a user "svc-user". And the script is trying to do this:
kinit MYSVC\server.mydomain.com -k -t /var/kerberos/krb5/user/856500016/client.keytab klist ipa vault-find --services
... And the problem is that it simply doesn't find the svc-vault. It does seem like it manages to get the Kerberos ticket, this is the output from klist (inside the script):
Default principal: MYSVC\server.mydomain.com@MYDOMAIN.COM
Valid starting Expires Service principal 02/27/2019 17:04:58 02/28/2019 17:04:58 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
Now... If I add the user "svc-user" as a member to my svc-vault, add the svc-user to the keytab and then use "kinit svc-user" in my script, then it seems to work. But I don't understand then the whole point of "service vault"... what's the purpose of the MYSVC/server.mydomain.com principle here actually...?
And another question - can't exactly the same (with "svc-user" in keytab) work also for a standard vault, without keys...? Because it looks like it becomes exactly the same usecase as if I just interactively use the vault shared with svc-user...
Thanks!