On 07/12/2023 14.15, Kees Bakker via FreeIPA-users wrote:
FWIW, the host principal of a system (host/$HOSTNAME) has permission to
manage its own services. The principal can add new services and request
a new keytab for a service. You can kinit with the host keytab to
acquire a TGT for the host principal:
kinit -kt /etc/krb5.keytab
ipa service-add HTTP/$(hostname -f)
ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab
kdestroy
Ah, that makes sense. It is even simpler and just as important there are
no credentials in the logs :-)
It could be even simpler with automatic TGT acquisition using client
keytabs. However ipa-getkeytab does not work with KRB5_CLIENT_KTNAME. I
have opened ticket https://pagure.io/freeipa/issue/9495 .
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
