On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:
service principals have never been bound to hosts. The hostname is just
part of the principal name. It’s not enforced. Pick whatever hostname
you want. (I actually think this is a bug.)
No, this is not really what it is. Service principals are always bound
to a host name but starting with FreeIPA 4.7.0 it is possible to create
service principals that have no host object with the same host name.
So, before FreeIPA 4.7, you needed to do
ipa host-add foo.bar.z
ipa service-add HTTP/foo.bar.z
Since FreeIPA 4.7.0 you can do
ipa service-add HTTP/foo.bar.z --skip-host-check
to create a service principal without managed host. It still would
require foo.bar.z properly mappable to the IPA realm (see
https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/)
but that host doesn't need to exist in IPA.
On Nov 22, 2019, at 2:14 PM, Dmitry Perets
<dmitry.per...@gmail.com<mailto:dmitry.per...@gmail.com>> wrote:
Hi,
Can you please remind me from which IPA version you support service principals
not bound to hosts? I think that would be then a better solution for my case,
as I am really using this user for non-interactive workloads.
And in the meantime, what is the nicest solution for some service that has
instances on multiple hosts? I could of course define separate service
principals for each one of them (e.g.. MYSVC/hostname), but if - for example -
they need to read secrets from the same shared Vault, I then must add all of
them as its members. And there are 30 instances... That is why I thought to let
them authenticate with the same principal.
Any solution for this in current version of IPA (4.6)?
---
Regards,
Dmitry Perets
On Fri, 22 Nov 2019, 20:05 Alexander Bokovoy,
<aboko...@redhat.com<mailto:aboko...@redhat.com>> wrote:
On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:
Interesting idea, but seems to require a time machine. The kerberos in
centos 8 is 1.16. I believe Ubuntu 18 is also.
Actually, I did check of the source code commits in upstream MIT
Kerberos and I attributed it wrongly. '-f' is part of 1.17 release and
'-s' is in 1.16 release. So, it should be in RHEL 8.
On Nov 22, 2019, at 1:21 PM, Alexander Bokovoy via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org><mailto:freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>>
wrote:
ktutil> add_entry -password -p principal -k kvno -f
The key part here is '-f' which fetches a salt from KDC. Otherwise,
you'd need to use '-s salt' option to specify a salt manually. Option
'-f' appeared in MIT 1.18, '-s' in MIT Kerberos 1.17.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
