On ke, 24 kesä 2020, Dominik Vogt via FreeIPA-users wrote:
For a test setup, we need to create a custom service running on a
server and a custom application running on the client. The
sample gss client/server from the Kerberos sources is used for
demonstration.
Setting this up with plain Kerberos is easy:
1. Create the service principal with
$ addprinc -randkey sample/server.domain
2. Add key to keytab
$ ktadd ...
3. Copy keytab to server
4. Run the service
$ gss_server -port 12345 sample
Now, how would one do this with freeipa, using the command line
interface?
1. Create service
$ ipa service-add sample/server.domain
2a. Create the service key? How?
2b. Generate the keytab for the key? How?
3. Copy the keytab to the server? Manually or is there a freeipa
way to do that?
Assuming both client and server are enrolled into FreeIPA:
1. As admin, add a service and allow its host to create a keytab:
kinit admin
ipa service-add sample/server.domain
ipa service-allow-create-keytab sample/server.domain --hosts=server.domain
2. On the server system:
kinit -k
ipa-getkeytab -p sample/server.domain -k ./sample.keytab
3. Run the service
$ KRB5_KTNAME=./sample.keytab KRB5_CLIENT_KTNAME=./sample.keytab gss_server
-port 12345 sample
See man kerberos(7) for the environment variables, ipa-getkeytab(1) for
examples of ipa-getkeytab use and 'ipa help service' for details on the
service commands (or any other IPA command line utility commands).
Is this approach correct? Any pointer to the relevant
documentation would also be helpful.
This all is documented in RHEL IdM documentation, as linked on
https://www.freeipa.org/page/Documentation#User_Guides
RHEL 7 documentation is more detailed as RHEL 8 takes a different
approach in documenting specific use cases while RHEL 7 documentation
covers all operations. They mostly complement each other.
Managing services is chapter 16 in RHEL7 documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/services#adding-service-entry
A relevant design document pair upstream is
https://www.freeipa.org/page/V4/Keytab_Retrieval and
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management
(I'm completely new to freeipa.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
