[Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)
Stephen Ingram
sbingram at gmail.com
Tue Jun 19 16:28:23 UTC 2012
On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce <simo at redhat.com> wrote:
> On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote:
>> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
>> principals or must you use the cn=accounts,cn=users container? I'm
>> thinking this for script-authenticated machine accounts (might be of
>> form user-hostname at REALM or user/hostname at REALM) that need to
>> authenticate to another machine and just a way to separate them from
>> the regular user accounts in cn=accounts,cn=users.
>
> If you need to authenticate machines you probably want to use the
> machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM
> principal.
>
> The principal is stored in cn=computers,cn=accounts in the computer
> object if the machine is joined to IPA.
>
> for machines you do not want to join or if you want to use a different
> service principal name you should create a new service principal with
> 'ipa service-add' which will create a principal object in cn=services
>
> user-hostname or user/hostname are not common choices, while kerberos
> does not enforce any particular convention on names you usually want to
> use service/fqdn at REALm convention. Where 'service' is the service name.
> Many services already have conventions for the principal name (for
> example HTTP/fqdn at REALM for http servers).
>
> If your scripts are arbitrary you may decide to create your own script
> principal (useful if you want to assign special ACIs to it in IPA as you
> can reference the service account under cn=services in ACIs in theory.
I couldn't agree more. Here's the situation though. I'm trying to use
IPA for a Cyrus IMAP Murder configuration. This involves
machine-to-machine authentication, but it's not really the machine,
it's a process on the machine. It's a process client authenticating
itself to a process server. The client constantly authenticates using
a script to obtain keys from a keytab. The server is authenticated
when the client connects to it. I was thinking like you are
suggesting, to use service principals, but I'm being told that user
principals are the way to go on the client end of things. Not wanting
to mix service users in with my regular users, I thought about putting
them in sysaccounts. I should probably take this up on the kerberos
list, but I was trying to do this within the constructs of IPA. I've
read that kerberos is indifferent to user vs service principals. Is
this true also of IPA besides the organization of the keys?
Steve
More information about the Freeipa-users
mailing list