[Freeipa-users] ipa impressions and more questions
Simo Sorce
ssorce at redhat.com
Wed Sep 17 14:45:34 UTC 2008
On Wed, 2008-09-17 at 10:27 -0400, Andrew C. Dingman wrote:
> On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote:
> > HI All,
> >
> > Thanks to to SImo Sorce for his time and help with getting ipa up and
> > running. Everything that I have been going through the docs works
> > good.
> >
> > I just don't understand the what these service principals are. Now i
> > can understand a service principle for ssh. If we add a service
> > principle for ssh for a host, we allow ipa users to connect via ssh to
> > this host and auth. (would be great if it were more granual - as i
> > understand, this is for version 2).
> > But what is a service principle for DHCP, or snmp, or DNS???? how do those work?
>
> Mostly, they don't :)
>
> That is, most services don't need service principles. Generally
> speaking, DHCP, SNMP, and DNS are all unauthenticated services, and
> therefore have no need of service principles. DHCP is pretty much devoid
> of any authentication capability. SNMP has some authentication
> capability, but it's currently built around an SNMP-specific mechanism
> that doesn't play with Kerberos. Likewise, DNS has some limited
> authentication capability that almost nobody uses, and Kerberos support
> is a non-standard extension that's only even useful for a few operations
> that most clients never attempt.
I agree for DHCP and SNMP (do we really have entries for those in the
UI?), but disagree about DNS. Kerberos can be used (and we plan to use
it in v2) for GSS-TSIG authenticated DNS update requests.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list