Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 03.08.2011 23:52, Dmitri Pal wrote: But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? Actually, I do not need such a functionality. I was asking because I know Windows rotate keytabs so I was expecting IPA might as well. I guess there is no big press for it now but I would say in general we should support it as well - for security reasons if not for anything else. Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: On 08/04/2011 03:52 AM, Ondrej Valousek wrote: On 03.08.2011 23:52, Dmitri Pal wrote: But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? Actually, I do not need such a functionality. I was asking because I know Windows rotate keytabs so I was expecting IPA might as well. I guess there is no big press for it now but I would say in general we should support it as well - for security reasons if not for anything else. I created a BZ. I am not sure certmonger is the right component https://bugzilla.redhat.com/show_bug.cgi?id=728263 But at least it will be on the plate of the right person to make the decision and propose alternative approaches. SSSD is probably a more appropriate component for keytabs, given in the IPA case it is a primary user of the keytab for validation purposes. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 08/04/2011 10:28 AM, Simo Sorce wrote: On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: On 08/04/2011 03:52 AM, Ondrej Valousek wrote: On 03.08.2011 23:52, Dmitri Pal wrote: But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? Actually, I do not need such a functionality. I was asking because I know Windows rotate keytabs so I was expecting IPA might as well. I guess there is no big press for it now but I would say in general we should support it as well - for security reasons if not for anything else. I created a BZ. I am not sure certmonger is the right component https://bugzilla.redhat.com/show_bug.cgi?id=728263 But at least it will be on the plate of the right person to make the decision and propose alternative approaches. SSSD is probably a more appropriate component for keytabs, given in the IPA case it is a primary user of the keytab for validation purposes. Simo. Yes. May be it is SSSD. But may be the kerberos library should have a way to rotate keytabs over the kerberos protocol? That would be even better as key rotation would then become a centrally managed policy rather than triggered by a client. The BZ will help me not to forget to start a broader discussion on the matter when time comes. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
I agree with Simo, I would expect this from sssd instead, also given the fact that sssd will in future also handle winbind's net * commands, this seems to me like a most natural way... Ondrej On 04.08.2011 16:28, Simo Sorce wrote: SSSD is probably a more appropriate component for keytabs, given in the IPA case it is a primary user of the keytab for validation purposes. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 08/04/2011 10:47 AM, Simo Sorce wrote: On Thu, 2011-08-04 at 10:43 -0400, Dmitri Pal wrote: On 08/04/2011 10:28 AM, Simo Sorce wrote: On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: On 08/04/2011 03:52 AM, Ondrej Valousek wrote: On 03.08.2011 23:52, Dmitri Pal wrote: But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? Actually, I do not need such a functionality. I was asking because I know Windows rotate keytabs so I was expecting IPA might as well. I guess there is no big press for it now but I would say in general we should support it as well - for security reasons if not for anything else. I created a BZ. I am not sure certmonger is the right component https://bugzilla.redhat.com/show_bug.cgi?id=728263 But at least it will be on the plate of the right person to make the decision and propose alternative approaches. SSSD is probably a more appropriate component for keytabs, given in the IPA case it is a primary user of the keytab for validation purposes. Simo. Yes. May be it is SSSD. But may be the kerberos library should have a way to rotate keytabs over the kerberos protocol? Yes it is called a password change technically :) That would be even better as key rotation would then become a centrally managed policy rather than triggered by a client. You cannot do it outside of a client, only the client has the original key to do (and be able to receive on a secure channel) the password change. Yes but server can indicate in some attribute to the client that it is time to start doing this and the client will do the change. The BZ will help me not to forget to start a broader discussion on the matter when time comes. Ok. Simo. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 04.08.2011 16:53, Dmitri Pal wrote: Yes but server can indicate in some attribute to the client that it is time to start doing this and the client will do the change. Would not be just easiest to steal some code from winbind? It is doing the same thing for Samba right? I guess it should not be that different in IPA. But it is only a wild guess... Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 08/04/2011 10:59 AM, Ondrej Valousek wrote: On 04.08.2011 16:53, Dmitri Pal wrote: Yes but server can indicate in some attribute to the client that it is time to start doing this and the client will do the change. Would not be just easiest to steal some code from winbind? It is doing the same thing for Samba right? I guess it should not be that different in IPA. But it is only a wild guess... That might be a way too. We will consider all options when time comes. Ticket was filed. Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Some questions regarding IPA, DNS and Samba4
Hi List, I have some questions regarding IPA: 1. On the IPA client side, which daemon is looking after machine Kerberos host/ principal renewal? 2. If I installed Samba4 on the IPA server, what would happen? Is it possible? Would I get 2xKDCs, 2xLDAP servers and 2x DNS server or is it possible for Samba4 to re-use the existing IPA repository? 3. Can I use the Adam's LDAP plugin for BIND to deploy a DNS server with Active Directory integrated zone running on Linux? Many thanks, Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On Wed, 2011-08-03 at 10:22 +0200, Ondrej Valousek wrote: Hi List, I have some questions regarding IPA: 1. On the IPA client side, which daemon is looking after machine Kerberos host/ principal renewal? Keytabs are random secrets and do not need to expire as cracking them is consider a problem out of current computational reach unlike users passwords which use a much smaller set of values and is less randomic in nature. 1. If I installed Samba4 on the IPA server, what would happen? Is it possible? Would I get 2xKDCs, 2xLDAP servers and 2x DNS server or is it possible for Samba4 to re-use the existing IPA repository? Nothing would work as they would want to use the same ports (LDAP, KDC, kpasswd ...). No Samba4 cannot use FreeIPA's LDAP because Windows client wants a perfect copy of AD's schema and DIT so samba4 has to use the embedded LDAP and KDC. 1. Can I use the Adam's LDAP plugin for BIND to deploy a DNS server with Active Directory integrated zone running on Linux? The bind-dyndb-ldap plugin can be used to store any kind of data. And it properly allows bind to set record on DNS Updates. so yes, you can, but you may want to use a tool to make it easier to modify LDAP records then. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 08/03/2011 07:44 AM, Simo Sorce wrote: I have some questions regarding IPA: 1. On the IPA client side, which daemon is looking after machine Kerberos host/ principal renewal? Keytabs are random secrets and do not need to expire as cracking them is consider a problem out of current computational reach unlike users passwords which use a much smaller set of values and is less randomic in nature. There is none at the moment however it is generally a good practice to rotate even secure keys like keytabs from time to time. One of the ideas I have for that is to allow certmonger to bind with mutual SSL auth or using current keytab and request a new keytab instead of the old one. But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
