[Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)

[Simo Sorce]

On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote:
> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
> principals or must you use the cn=accounts,cn=users container? I'm
> thinking this for script-authenticated machine accounts (might be of
> form user-hostname at REALM or user/hostname at REALM) that need to
> authenticate to another machine and just a way to separate them from
> the regular user accounts in cn=accounts,cn=users.

If you need to authenticate machines you probably want to use the
machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM
principal.

The principal is stored in cn=computers,cn=accounts in the computer
object if the machine is joined to IPA.

for machines you do not want to join or if you want to use a different
service principal name you should create a new service principal with
'ipa service-add' which will create a principal object in cn=services

user-hostname or user/hostname are not common choices, while kerberos
does not enforce any particular convention on names you usually want to
use  service/fqdn at REALm convention. Where 'service' is the service name.
Many services already have conventions for the principal name (for
example HTTP/fqdn at REALM for http servers).

If your scripts are arbitrary you may decide to create your own script
principal (useful if you want to assign special ACIs to it in IPA as you
can reference the service account under cn=services in ACIs in theory.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York