[Freeipa-devel] Generating kerberos keytabs
Karl MacMillan
kmacmill at redhat.com
Mon Oct 29 14:04:49 UTC 2007
On Fri, 2007-10-26 at 11:31 -0400, Simo Sorce wrote:
> On Fri, 2007-10-26 at 11:15 -0400, Karl MacMillan wrote:
> > I'm looking into creating the xml-rpc interface for generating service
> > principals / keytabs and need some help getting started (since I'm a
> > kerberos newb). Questions:
> >
> > 1) Is there a way to do this programmatically or am I going to end up
> > scripting around kadmin?
>
> Scripting around kadmin.local for now
>
Simo, Rob, and I discussed this a bit more on IRC. Using kadmin-local
has a number of drawbacks:
1) we would have to create a setuid helper that would be called by the
web interface.
2) because kadmin.local insists on saving the keytab on the local disk
and barfs when given an existing but empty file, insecure temporary
files would need to be used.
We decided to explore creating a tool to directly add service principals
to ldap and suck those out as keytabs. So far it looks like the keytab
format is simple enough that this shouldn't be that much work.
Karl
More information about the Freeipa-devel
mailing list