On 18.8.2016 23:36, Diogenes S. Jesus wrote:
> Thanks Petr.
> It seems like the only way to do it right now is to dump the keytab and
> copy it to slave KDCs, as I couldn't find a way to have MIT Kerberos to use
> the master key stored in the LDAP directly.

That is expected. If you want, just dump the key to file and distribute it
(using a secure mechanism). At the moment, FreeIPA does not rotate the master
key so it should just work.

> MIT Kerberos doesn't really support a master key stored elsewhere other
> than using "key_stash_file" AFAIK, so I'm wondering how FreeIPA has
> actually implemented it (I couldn't find any reference for it in the
> kerberos conf files).

FreeIPA has own KDC database driver:

This is why you cannot find this in standard MIT KDC.

> My use case involves having a "FreeIPA slave"  - a streamlined version
> which will only provide authentication (via Kerberos). Sure, I can make a
> standard replica and firewall what I don't wanna use, but when stretching
> your authentication infrastructure you don't necessary need to expose all
> other services FreeIPA provides, since that increases your attack surface.

Well, it should work if you leave all ports open for communication among
replicas but block out all clients.

In this case do not forget to remove DNS SRV records for other services so
clients do not timeout while attempting to contact firewalled replicas.

(Please note that FreeIPA DNS automatically re-generates DNS SRV records when
you change something in replica topology or run an IPA installer - you will
need to make the changes again.)

If you want to try the pure KDC slave, please let us know how it worked. I'm
curious :-)

Petr^2 Spacek

> Best regards
> On Fri, Jul 22, 2016 at 10:14 AM, Petr Spacek <pspa...@redhat.com> wrote:
>> On 21.7.2016 22:05, Diogenes S. Jesus wrote:
>>> Hi everyone.
>>> I'm currently planning on deploying FreeIPA as the Master KDC (among
>> other
>>> things to leverage from the API and some other built-in features - like
>>> replicas).
>>> However I find (correct if I'm wrong) FreeIPA not very modular -
>> therefore
>>> I would like to know what's the strategy when deploying slave KDCs.
>>> I've seen this thread
>>> <https://www.redhat.com/archives/freeipa-users/2013-
>> September/msg00319.html>
>>> but I
>>> don't really want to have a replica - the idea was to deploy a separate
>> box
>>> only running KDC - since the authentication is delegated to RADIUS for
>>> Authentication, I don't need to expose LDAP Master to KDC slaves - If
>> yes,
>>> I would provide a read-only LDAP replica..
>>> For starters, where is the FreeIPA KDC stash file stored?
>> AFAIK there is no prior art in setting up MIT KDC slaves. First of all,
>> FreeIPA does not use stash file and stores master key in LDAP instead.
>> You can retrieve equivalent of stash file using following command:
>> $ ipa-getkeytab --retrieve --principal K/M@<REALM> -k /tmp/stash.keytab
>> --binddn='cn=Directory manager' --bindpw='<Directory manager password>'
>> *Make sure* that --retrieve option is present otherwise it will destroy
>> your
>> Kerberos database.
>> The rest is up to your experimentation. I wish you good luck and please
>> report
>> your findings back to the mailing list!

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to