[Freeipa-users] Re: How to do getkeytab through ansible-freeipa
On 07/12/2023 14.15, Kees Bakker via FreeIPA-users wrote: FWIW, the host principal of a system (host/$HOSTNAME) has permission to manage its own services. The principal can add new services and request a new keytab for a service. You can kinit with the host keytab to acquire a TGT for the host principal: kinit -kt /etc/krb5.keytab ipa service-add HTTP/$(hostname -f) ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab kdestroy Ah, that makes sense. It is even simpler and just as important there are no credentials in the logs :-) It could be even simpler with automatic TGT acquisition using client keytabs. However ipa-getkeytab does not work with KRB5_CLIENT_KTNAME. I have opened ticket https://pagure.io/freeipa/issue/9495 . Christian -- Christian Heimes Principal Software Engineer, Identity Management and Platform Security Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: How to do getkeytab through ansible-freeipa
On 07-12-2023 13:57, Christian Heimes via FreeIPA-users wrote: On 07/12/2023 13.24, twoerner--- via FreeIPA-users wrote: Hello, On 12/7/23 12:50, Kees Bakker via FreeIPA-users wrote: Hi, Is this a good place to ask questions about ansible-freeipa ? Does anyone have an example to do getkeytab through ansible? What I want to achieve is the equivalence of $ ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab Creating a service is already possible, for example with: - name: Add IPA HTTP service ipaservice: ipaadmin_principle: "{{ ipaadmin_principle }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "HTTP/{{ ansible_fqdn }}" But now I need something to retrieve the keytab. Any suggestion or help is appreciated. There is no module for keytab yet. Therefore it is needed to use the command line tool. Something like this: - name: Get keytab ansible.builtin.shell: | kinit -c __keytab_ccache__ admin <<< {{ ipaadmin_password }} ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab kdestroy -q -A -c __keytab_ccache__ register: result failed_when: result.failed or "Failed" in result.stderr This is simply using your command from above. Important is that the destination directory "/etc/apache2" exists. FWIW, the host principal of a system (host/$HOSTNAME) has permission to manage its own services. The principal can add new services and request a new keytab for a service. You can kinit with the host keytab to acquire a TGT for the host principal: kinit -kt /etc/krb5.keytab ipa service-add HTTP/$(hostname -f) ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab kdestroy Ah, that makes sense. It is even simpler and just as important there are no credentials in the logs :-) -- Kees -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: How to do getkeytab through ansible-freeipa
On 07/12/2023 13.24, twoerner--- via FreeIPA-users wrote: Hello, On 12/7/23 12:50, Kees Bakker via FreeIPA-users wrote: Hi, Is this a good place to ask questions about ansible-freeipa ? Does anyone have an example to do getkeytab through ansible? What I want to achieve is the equivalence of $ ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab Creating a service is already possible, for example with: - name: Add IPA HTTP service ipaservice: ipaadmin_principle: "{{ ipaadmin_principle }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "HTTP/{{ ansible_fqdn }}" But now I need something to retrieve the keytab. Any suggestion or help is appreciated. There is no module for keytab yet. Therefore it is needed to use the command line tool. Something like this: - name: Get keytab ansible.builtin.shell: | kinit -c __keytab_ccache__ admin <<< {{ ipaadmin_password }} ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab kdestroy -q -A -c __keytab_ccache__ register: result failed_when: result.failed or "Failed" in result.stderr This is simply using your command from above. Important is that the destination directory "/etc/apache2" exists. FWIW, the host principal of a system (host/$HOSTNAME) has permission to manage its own services. The principal can add new services and request a new keytab for a service. You can kinit with the host keytab to acquire a TGT for the host principal: kinit -kt /etc/krb5.keytab ipa service-add HTTP/$(hostname -f) ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab kdestroy Christian -- Christian Heimes Principal Software Engineer, Identity Management and Platform Security Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: How to do getkeytab through ansible-freeipa
Hello, On 12/7/23 12:50, Kees Bakker via FreeIPA-users wrote: Hi, Is this a good place to ask questions about ansible-freeipa ? Does anyone have an example to do getkeytab through ansible? What I want to achieve is the equivalence of $ ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab Creating a service is already possible, for example with: - name: Add IPA HTTP service ipaservice: ipaadmin_principle: "{{ ipaadmin_principle }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "HTTP/{{ ansible_fqdn }}" But now I need something to retrieve the keytab. Any suggestion or help is appreciated. There is no module for keytab yet. Therefore it is needed to use the command line tool. Something like this: - name: Get keytab ansible.builtin.shell: | kinit -c __keytab_ccache__ admin <<< {{ ipaadmin_password }} ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab kdestroy -q -A -c __keytab_ccache__ register: result failed_when: result.failed or "Failed" in result.stderr This is simply using your command from above. Important is that the destination directory "/etc/apache2" exists. Regards, Thomas -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] How to do getkeytab through ansible-freeipa
Hi, Is this a good place to ask questions about ansible-freeipa ? Does anyone have an example to do getkeytab through ansible? What I want to achieve is the equivalence of $ ipa-getkeytab -p HTTP/$(hostname -f) -k /etc/apache2/http.keytab Creating a service is already possible, for example with: - name: Add IPA HTTP service ipaservice: ipaadmin_principle: "{{ ipaadmin_principle }}" ipaadmin_password: "{{ ipaadmin_password }}" name: "HTTP/{{ ansible_fqdn }}" But now I need something to retrieve the keytab. Any suggestion or help is appreciated. -- Kees -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Trust with POSIX-enabled AD
Florence Blanc-Renaud via FreeIPA-users schrieb am 07.12.23 um 10:00: > But the behavior will be exactly the same, ie on IPA side the user is > seen as a member of the AD group + of the posix group defined on IPA side. Ok, then I guess I'll have to live with this (aesthetic) flaw. Thank you very much for your feedback. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Trust with POSIX-enabled AD
Hi Stefan, On Thu, Dec 7, 2023 at 8:00 AM Stefan Palm via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everyone. > > It looks like I have a problem understanding the way AD trusts work. > Maybe someone here can enlighten me. > > In our AD we have "normal" users and groups and we have users/groups > with POSIX attributes. For the latter we want to use FreeIPA to > implement HBAC and Sudo rules. > > Last week I installed a FreeIPA server (v4.10.1) and created a oneway > trust to our AD. This has worked so far, I can log on to my (test) > FreeIPA client with my AD user. > > My comprehension problem: I can only see AD users and AD groups on the > FreeIPA server and on my test client that have POSIX attributes (uid, > uidNumber, gidNumber) set. To clarify: "getent passwd" and "getent > groups" do not find users and groups that do not have POSIX attributes > and the same applies to "ipa group-add-member". > Your trust was probably created as a posix trust (with *ipa trust-add --range-type=**ipa-ad-trust-posix*). This means that only users and groups with POSIX ids defined on AD can be used on IPA side. For more details you can refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#con_posix-and-id-mapping-id-range-types-for-ad-users_planning-a-cross-forest-trust-between-idm-and-ad and > While this does not matter for the users so far, it is a problem for me > with the groups because I can now only select AD groups with POSIX > attributes when mapping, i.e. "ipa group-add-member > --external ''" only works with POSIX groups from the AD. > Why is this a problem? Because I now suddenly see the groups "twice", so > if I make an "id ", then I see the original AD group (e.g. > "webserver admins" with the gidNumber from the AD) and additionally the > mapped group from FreeIPA (with its own gid). > > The AD groups can be used on IPA side only through the use of external groups, as explained in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-managing#trust-groups The question I have is, does it have to be like this? > Is there no way to select either the already existing AD group directly > in HABC and/or Sudo rules? Or if the mapping has to be to local groups, > to select non-POSIX groups from the AD? > > If you want to use non-POSIX groups from AD, then you need to establish the trust with a range type ipa-ad-trust instead of ipa-ad-trust-posix, or define a group override on IPA that assigns a groupid to the group (see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_using-id-views-for-active-directory-users_managing-users-groups-hosts ). But the behavior will be exactly the same, ie on IPA side the user is seen as a member of the AD group + of the posix group defined on IPA side. HTH, flo > > Best regards > Stefan > -- > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue