[Freeipa-users] Re: How to do getkeytab through ansible-freeipa

Thu, 07 Dec 2023 05:16:01 -0800 

On 07-12-2023 13:57, Christian Heimes via FreeIPA-users wrote:

On 07/12/2023 13.24, twoerner--- via FreeIPA-users wrote:

Hello,

On 12/7/23 12:50, Kees Bakker via FreeIPA-users wrote:

Hi,

Is this a good place to ask questions about ansible-freeipa ?
Does anyone have an example to do getkeytab through ansible?
What I want to achieve is the equivalence of

     $ ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab

Creating a service is already possible, for example with:

     - name: Add IPA HTTP service
       ipaservice:
         ipaadmin_principle: "{{ ipaadmin_principle }}"
         ipaadmin_password: "{{ ipaadmin_password }}"
         name: "HTTP/{{ ansible_fqdn }}"

But now I need something to retrieve the keytab.
Any suggestion or help is appreciated.


There is no module for keytab yet. Therefore it is needed to use the
command line tool.

Something like this:

   - name: Get keytab
     ansible.builtin.shell: |
       kinit -c __keytab_ccache__ admin <<< {{ ipaadmin_password }}
       ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab
       kdestroy -q -A -c __keytab_ccache__
     register: result
     failed_when: result.failed or "Failed" in result.stderr

This is simply using your command from above.
Important is that the destination directory "/etc/apache2" exists.


FWIW, the host principal of a system (host/$HOSTNAME) has permission to
manage its own services. The principal can add new services and request
a new keytab for a service. You can kinit with the host keytab to
acquire a TGT for the host principal:

    kinit -kt /etc/krb5.keytab
    ipa service-add HTTP/$(hostname -f)
    ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab
    kdestroy
Ah, that makes sense. It is even simpler and just as important there are no credentials in the logs :-) 
-- Kees
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to