On Tue, 2012-06-19 at 09:28 -0700, Stephen Ingram wrote: > On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce <s...@redhat.com> wrote: > > On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: > >> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos > >> principals or must you use the cn=accounts,cn=users container? I'm > >> thinking this for script-authenticated machine accounts (might be of > >> form user-hostname@REALM or user/hostname@REALM) that need to > >> authenticate to another machine and just a way to separate them from > >> the regular user accounts in cn=accounts,cn=users. > > > > If you need to authenticate machines you probably want to use the > > machine keytab in /etc/krb5.keytab which contains a host/fqdn@REALM > > principal. > > > > The principal is stored in cn=computers,cn=accounts in the computer > > object if the machine is joined to IPA. > > > > for machines you do not want to join or if you want to use a different > > service principal name you should create a new service principal with > > 'ipa service-add' which will create a principal object in cn=services > > > > user-hostname or user/hostname are not common choices, while kerberos > > does not enforce any particular convention on names you usually want to > > use service/fqdn@REALm convention. Where 'service' is the service name. > > Many services already have conventions for the principal name (for > > example HTTP/fqdn@REALM for http servers). > > > > If your scripts are arbitrary you may decide to create your own script > > principal (useful if you want to assign special ACIs to it in IPA as you > > can reference the service account under cn=services in ACIs in theory. > > I couldn't agree more. Here's the situation though. I'm trying to use > IPA for a Cyrus IMAP Murder configuration. This involves > machine-to-machine authentication, but it's not really the machine, > it's a process on the machine. It's a process client authenticating > itself to a process server. The client constantly authenticates using > a script to obtain keys from a keytab. The server is authenticated > when the client connects to it. I was thinking like you are > suggesting, to use service principals, but I'm being told that user > principals are the way to go on the client end of things. Not wanting > to mix service users in with my regular users, I thought about putting > them in sysaccounts. I should probably take this up on the kerberos > list, but I was trying to do this within the constructs of IPA. I've > read that kerberos is indifferent to user vs service principals. Is > this true also of IPA besides the organization of the keys?
Yes with IPA you can use service principals to initiate context w/o problems. That's why I suggested you use a service principal. AD has a limitation that you must use an actual user to initiate a context, that may be where the suggestion is coming from. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users