On Fri, 21 Aug 2015, bahan w wrote:
Hello !

I send you this mail because I have a noobish question about keytabs.
What is the difference between a service keytab and a headless keytab.

In which keytab do we use a service keytab ?
What is the definition of a "service" ? Is that a daemon running on a
specific host ?

When we perform a service-add in FreeIPA, what is this service exactly ?
Why not just use headless keytabs for everything ?

Sorry for this noobish question ^_^

Keytab is a container to store Kerberos principal's keys. A key in terms
of Kerberos can be some random bytes. You can use container to store a
password for a user principal or a password (key) for a service principal.
Think about glass jars you might have on your kitchen. You can put
anything in these jars, from pasta to flour to prickles to ...

Traditionally, Kerberos service is something that represents an
application -- either acting as a client or as a server, it does not
really matter which way. Such application may have own arrangement on
how it runs (which UID/GID it uses on the operating system level) but it
is not important from Kerberos point of view because Kerberos is not
responsible for the identity of your application (or user), it only
deals with Kerberos principals and their keys.

What you cal 'headless keytab' is probably a keytab to store user
principal keys. This already makes an assumption that you have a user
principal that corresponds to certain POSIX user. Service principal is
something that does not need to be a POSIX user, as I said above, most
applications have own arrangement on how they run on the OS level.

However, some Kerberos services have traditional meaning. For a host,
there could be host/fqdn@REALM service principal that 'represents' this
host in Kerberos realm. The same service principal may be shared by
several applications: for example, both SSSD and SSH daemon use
host/fqdn@REALM for own needs. SSSD uses it as a client when
authenticating against IPA LDAP server using SASL GSSAPI, and SSH daemon
uses host/fqdn@REALM key to represent itself as a server to incoming SSH
clients using GSSAPI or Kerberos authentication methods.

In FreeIPA it is recommended to create service principals to represent
applications as they are not required to have global POSIX identity
associated with them and they are usually running on a specific host. In
addition, if they are accepting SASL GSSAPI authentication method to
access themselves, a client application will usually build up a target
principal based on the hostname they run on, e.g. HTTP/fqdn@REALM for a
web server running on the host fqdn. Thus, there is clear arrangement
between client and server applications on what they expect from each
other on Kerberos (or SASL GSSAPI) level.

For user principals there is no such expectation. You *can* store user's
password in a 'headless keytab' to allow some impersonification of the
user for certain needs but it is irrelevant from Kerberos level what
identity is there, both service and user principals can equally be used
at a client side to initiate authentication towards a server.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to