OK, so replying to myself - in case someone has the same goal...
Here is the way that I came up with eventually. I really hope this is how it was designed to be =) The main culprit is that the IPA service principal must be the _owner_ of the vault. This point is somehow missing in all the examples that I could find.
Here is the full solution for my problem:
- I create a service account svc-user in FreeIPA. This account is used on the target Linux host (server.mydomain.com) just to run my script. No password is set for this account, it's just a local service account for Linux. - I then create a service MYSVC\server.mydomain.com in FreeIPA.
- On the target Linux host, I retrieve a keytab for the service principal only: kinit admin ipa-getkeytab -p MYSVC\server.mydomain.com -k client.keytab
- I copy the keytab to the default Kerberos keytab location for the svc-user. At least on Centos/RHEL, this will be /var/kerberos/krb5/user/<EUID>/client.keytab, where <EUID> is the euid of svc-user. Normally, you will have to create this folder (and first of all learn the euid): getent passwd svc-user <Here learn the EUID number>
mkdir /var/kerberos/krb5/user/<EUID>/ chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/ mv client.keytab /var/kerberos/krb5/user/<EUID>/ chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/client.keytab
- Now I create the service vault, store my secret there and (sic!) add my service as an owner (I show an example with standard vault, but it can be also asymmetric one with keys...): kinit admin ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type standard ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --in mysecret.txt ipa vault-add-member svc-vault --service MYSVC\server.mydomain.com --services MYSVC\server.mydomain.com --no-members
- And NOW my script can obtain Kerberos ticket only for MYSVC\server.mydomain.com and actually find the vault. And actually, since the keytab is stored in default location, I don't even need to do any "kinit" in the script. The IPA CLI will handle it all automatically. So my script can simply be:
ipa vault-find --services ipa vault-retrieve svc-vault --service MYSVC\server.mydomain.com --out mysecret.txt
This solution works, and I find it pretty elegant, because I actually can separate the Linux service account (svc-user) from the actual service (MYSVC\server.mydomain.com). So I can run all my scripts under the same svc-user account on different Linux hosts throughout my domain, and each script (being a separate service) will see only its own vaults, because it will only obtain Kerberos ticket for his own IPA service principal. Plus it seems to happen automatically, if I just put the keytab file under the default location...
Hopefully, this is how it was intended to be done. I think I like it... Also hope it will help someone, because the available examples are somehow incomplete...
--- Regards, Dmitry Perets