Stefan, >From what I'm reading, it looks like James supplied the answer. gssproxy. This URL: gssproxy/docs/Apache.md at main · gssapi/gssproxy · GitHub <https://github.com/gssapi/gssproxy/blob/main/docs/Apache.md>
seems to demonstrate how to implement this for Apache webserver. Spike On Tue, Jul 25, 2023 at 12:50 AM Stefan Bauer <[email protected]> wrote: > Thank you Spike and James for your reply. That was quite helpful. > Yes i currently do have a single host principal in Active-Directory, that > has numerous servicePrincipalNames: > HOST/... > HTTP/ > SQL/... > > for al services, running on this specific host. > > So it can not be separated as the only credential for that host is the > machine account itself. Correct? > > Is it bad practice to have additional SPNs on the host principal? > > How do you associate and rotate your keytabs for services? > > Thank you. > > Stefan > > > > Am Mo., 24. Juli 2023 um 23:14 Uhr schrieb Spike White < > [email protected]>: > >> I know on a former commercial product I used the monthly machine >> account credential renewal had a "hook" parameter where you could specify >> an executable script to be called. It was designed to work with Samba, so >> that you could write the samba keytab file without Samba needing to access >> the /etc/krb5.keytab file. >> >> Possibly sssd has such a post-rotate hook parameter as well. >> >> That worked great for creating a Samba-viewable credentials. >> >> However, it sounds like you're defining SPNs as alternate names for the >> host principal. I don't see how you could write a HTTP.keytab file or so >> with entries for HTTP/<service>@<domain> without embedding the >> credentials for the host principal (under the HTTP/ SPN of course). >> >> Spike >> >> On Thu, Jul 20, 2023 at 7:38 AM Stefan Bauer <[email protected]> wrote: >> >>> Dear Users, >>> >>> i really love SSSD and also the auto-renewal of the host-keytab file. >>> >>> On many hosts we add the SPNs >>> >>> HTTP/ >>> SQL/... >>> >>> directly to the machine-account in Active-Directory. This is all fine >>> and works. >>> >>> However i have a bad feeling about letting services read the keytab file >>> as it gives access to the machine-account. >>> >>> Opinions? >>> >>> How do you handle service keytabs and it's rotation? >>> >>> Thank you. >>> >>> Stefan >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
