I know on a former commercial product I used the monthly machine account credential renewal had a "hook" parameter where you could specify an executable script to be called. It was designed to work with Samba, so that you could write the samba keytab file without Samba needing to access the /etc/krb5.keytab file.
Possibly sssd has such a post-rotate hook parameter as well. That worked great for creating a Samba-viewable credentials. However, it sounds like you're defining SPNs as alternate names for the host principal. I don't see how you could write a HTTP.keytab file or so with entries for HTTP/<service>@<domain> without embedding the credentials for the host principal (under the HTTP/ SPN of course). Spike On Thu, Jul 20, 2023 at 7:38 AM Stefan Bauer <[email protected]> wrote: > Dear Users, > > i really love SSSD and also the auto-renewal of the host-keytab file. > > On many hosts we add the SPNs > > HTTP/ > SQL/... > > directly to the machine-account in Active-Directory. This is all fine and > works. > > However i have a bad feeling about letting services read the keytab file > as it gives access to the machine-account. > > Opinions? > > How do you handle service keytabs and it's rotation? > > Thank you. > > Stefan > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
