Thank you Spike and James for your reply. That was quite helpful. Yes i currently do have a single host principal in Active-Directory, that has numerous servicePrincipalNames: HOST/... HTTP/ SQL/...
for al services, running on this specific host. So it can not be separated as the only credential for that host is the machine account itself. Correct? Is it bad practice to have additional SPNs on the host principal? How do you associate and rotate your keytabs for services? Thank you. Stefan Am Mo., 24. Juli 2023 um 23:14 Uhr schrieb Spike White < [email protected]>: > I know on a former commercial product I used the monthly machine > account credential renewal had a "hook" parameter where you could specify > an executable script to be called. It was designed to work with Samba, so > that you could write the samba keytab file without Samba needing to access > the /etc/krb5.keytab file. > > Possibly sssd has such a post-rotate hook parameter as well. > > That worked great for creating a Samba-viewable credentials. > > However, it sounds like you're defining SPNs as alternate names for the > host principal. I don't see how you could write a HTTP.keytab file or so > with entries for HTTP/<service>@<domain> without embedding the > credentials for the host principal (under the HTTP/ SPN of course). > > Spike > > On Thu, Jul 20, 2023 at 7:38 AM Stefan Bauer <[email protected]> wrote: > >> Dear Users, >> >> i really love SSSD and also the auto-renewal of the host-keytab file. >> >> On many hosts we add the SPNs >> >> HTTP/ >> SQL/... >> >> directly to the machine-account in Active-Directory. This is all fine and >> works. >> >> However i have a bad feeling about letting services read the keytab file >> as it gives access to the machine-account. >> >> Opinions? >> >> How do you handle service keytabs and it's rotation? >> >> Thank you. >> >> Stefan >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
