Spike, thank you again. I'm aware of the link James supplied and i already tested it successfully. As I'm doing some research, i just wanted to have a second/third opinion on how other admins handle the keytab/rotation problem. Specifically if it is bad practice to have many SPNs on a single host-object in Active-Directory :)
So it looks like i either have to create unique host/user/objects in AD and use individual keytab-files for each service, or do the separation in software with gssproxy. Stefan Am Di., 25. Juli 2023 um 15:54 Uhr schrieb Spike White < [email protected]>: > Stefan, > > From what I'm reading, it looks like James supplied the answer. > gssproxy. This URL: > gssproxy/docs/Apache.md at main · gssapi/gssproxy · GitHub > <https://github.com/gssapi/gssproxy/blob/main/docs/Apache.md> > > seems to demonstrate how to implement this for Apache webserver. > > Spike > > On Tue, Jul 25, 2023 at 12:50 AM Stefan Bauer <[email protected]> wrote: > >> Thank you Spike and James for your reply. That was quite helpful. >> Yes i currently do have a single host principal in Active-Directory, that >> has numerous servicePrincipalNames: >> HOST/... >> HTTP/ >> SQL/... >> >> for al services, running on this specific host. >> >> So it can not be separated as the only credential for that host is the >> machine account itself. Correct? >> >> Is it bad practice to have additional SPNs on the host principal? >> >> How do you associate and rotate your keytabs for services? >> >> Thank you. >> >> Stefan >> >> >> >> Am Mo., 24. Juli 2023 um 23:14 Uhr schrieb Spike White < >> [email protected]>: >> >>> I know on a former commercial product I used the monthly machine >>> account credential renewal had a "hook" parameter where you could specify >>> an executable script to be called. It was designed to work with Samba, so >>> that you could write the samba keytab file without Samba needing to access >>> the /etc/krb5.keytab file. >>> >>> Possibly sssd has such a post-rotate hook parameter as well. >>> >>> That worked great for creating a Samba-viewable credentials. >>> >>> However, it sounds like you're defining SPNs as alternate names for the >>> host principal. I don't see how you could write a HTTP.keytab file or so >>> with entries for HTTP/<service>@<domain> without embedding the >>> credentials for the host principal (under the HTTP/ SPN of course). >>> >>> Spike >>> >>> On Thu, Jul 20, 2023 at 7:38 AM Stefan Bauer <[email protected]> wrote: >>> >>>> Dear Users, >>>> >>>> i really love SSSD and also the auto-renewal of the host-keytab file. >>>> >>>> On many hosts we add the SPNs >>>> >>>> HTTP/ >>>> SQL/... >>>> >>>> directly to the machine-account in Active-Directory. This is all fine >>>> and works. >>>> >>>> However i have a bad feeling about letting services read the keytab >>>> file as it gives access to the machine-account. >>>> >>>> Opinions? >>>> >>>> How do you handle service keytabs and it's rotation? >>>> >>>> Thank you. >>>> >>>> Stefan >>>> _______________________________________________ >>>> sssd-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
