[Freeipa-users] ipa impressions and more questions
Andrew C. Dingman
adingman at redhat.com
Wed Sep 17 14:27:23 UTC 2008
On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote:
> HI All,
>
> Thanks to to SImo Sorce for his time and help with getting ipa up and
> running. Everything that I have been going through the docs works
> good.
>
> I just don't understand the what these service principals are. Now i
> can understand a service principle for ssh. If we add a service
> principle for ssh for a host, we allow ipa users to connect via ssh to
> this host and auth. (would be great if it were more granual - as i
> understand, this is for version 2).
> But what is a service principle for DHCP, or snmp, or DNS???? how do those work?
Mostly, they don't :)
That is, most services don't need service principles. Generally
speaking, DHCP, SNMP, and DNS are all unauthenticated services, and
therefore have no need of service principles. DHCP is pretty much devoid
of any authentication capability. SNMP has some authentication
capability, but it's currently built around an SNMP-specific mechanism
that doesn't play with Kerberos. Likewise, DNS has some limited
authentication capability that almost nobody uses, and Kerberos support
is a non-standard extension that's only even useful for a few operations
that most clients never attempt.
Kerberos principles are identities in Kerberos. Any service that is
going to accept Kerberos tickets to authenticate users needs to have
one. Any service that doesn't accept Kerberos tickets for authentication
doesn't need a service principle. Sometimes, a few services will share
an identity, as is the case when you have multiple services using the
'host/<hostname>' principle to provide shell access.
Suppose, for example, that I have a server named myhost.example.com
offering public, unauthenticated web services, SSH shell access to a few
users, and an IMAP mail server. If I'm using Kerberos authentication,
I'll need these principles:
host/myhost.example.com for SSH
imap/myhost.example.com for whatever IMAP server
I don't need a service principle for the web server, because the web
server isn't doing authentication with Kerberos. That doesn't mean it
can't -- it most certainly can be done -- but I only need a service
principle for the web server if it's using Kerberos authentication.
Just to be clear, my example here is only relevant to how Kerberos
works. It is not meant to reflect how IPA is configured. In particular,
IPA *does* authenticate users to the web server using Kerberos, and
therefore *does* need a service principle for the web service.
--
Andrew C. Dingman, RHCA, RHCSS, RHCX
Instructor, Red Hat Global Learning Services
adingman at redhat.com
gpg: 4DEB 3DF1 1007 B26D EC76 80F4 3C26 A4EB 2975 74B2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20080917/6e86523e/attachment.sig>
More information about the Freeipa-users
mailing list