On Sat, 26 Sep 2015, Brian J. Murrell wrote:
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:

OK.  I have refreshed my memory of how Kerberos works.

The sequence above:

 - Sets a random Kerberos key for a principal named
aster...@example.com
   on IPA KDC and stores it to the local keytab file asterisk.keytab

Yes.  That keytab is intended to be the machine equivalent of the human
who enters their password at a kinit prompt.
Ok, I wanted to know what you were trying to achieve.


 - tries to use a key for
aster...@example.com to obtain ticket
granting
   ticket as
imap/linux.example....@exampe.com

Why would it try to obtain a TGT as the imap/linux.example.com
principle?  It should be trying to obtain a TGT as the
aster...@example.com principle, exactly as a human named "asterisk"
would do using kinit.
Because *you* asked it to do so:
$ man kinit
...
SYNOPSIS
      kinit  [-V]  [-l  lifetime]  [-s start_time] [-r renewable_life] [-p | 
-P] [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]] [-c 
cache_name] [-n] [-S        service_name] [-I input_ccache] [-T armor_ccache] 
[-X attribute[=value]] [principal]

DESCRIPTION
      kinit obtains and caches an initial ticket-granting ticket for principal.

So, when you run kinit as

 kinit -k -t /path/to/keytab imap/linux.example.com

You are asking "take the key for imap/linux.example.com from the
/path/to/keytab and obtain a ticket granting ticket from KDC using these
credentials".


The goal here is to have the daemon authenticate to the KDC as
aster...@example.com and then use that TGT to get service tickets to
the imap service so that it authenticates to the imap service as the
user "asterisk".
And that would be
  kinit -k -t /path/to/keytab asterisk

That's enough. Not specifying the principal would mean using a default
(host/fqdn), not whatever is the principal in the keytab.

I suppose the other way, is to give the daemon the imap principle's key
and let it forge service tickets but that would require the daemon to
know that that is what is doing.  It does not know that.  It is just
acting like an imap client as any other imap client that uses kerberos
does.  To be perfectly clear, this daemon only wants to authenticate as
the single user "asterisk" to the imap server.  It does not need to
authenticate as many users.
Yes.

Once you've obtained a TGT in the current ccache, your application can
request the service ticket (imap/linux.example.com) automatically.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to