[Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)

Tue Jun 19 16:54:47 UTC 2012

On Tue, 2012-06-19 at 09:28 -0700, Stephen Ingram wrote:
> On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce <simo at redhat.com> wrote:
> > On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote:
> >> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
> >> principals or must you use the cn=accounts,cn=users container? I'm
> >> thinking this for script-authenticated machine accounts (might be of
> >> form user-hostname at REALM or user/hostname at REALM) that need to
> >> authenticate to another machine and just a way to separate them from
> >> the regular user accounts in cn=accounts,cn=users.
> >
> > If you need to authenticate machines you probably want to use the
> > machine keytab in /etc/krb5.keytab which contains a host/fqdn at REALM
> > principal.
> >
> > The principal is stored in cn=computers,cn=accounts in the computer
> > object if the machine is joined to IPA.
> >
> > for machines you do not want to join or if you want to use a different
> > service principal name you should create a new service principal with
> > 'ipa service-add' which will create a principal object in cn=services
> >
> > user-hostname or user/hostname are not common choices, while kerberos
> > does not enforce any particular convention on names you usually want to
> > use  service/fqdn at REALm convention. Where 'service' is the service name.
> > Many services already have conventions for the principal name (for
> > example HTTP/fqdn at REALM for http servers).
> >
> > If your scripts are arbitrary you may decide to create your own script
> > principal (useful if you want to assign special ACIs to it in IPA as you
> > can reference the service account under cn=services in ACIs in theory.
> 
> I couldn't agree more. Here's the situation though. I'm trying to use
> IPA for a Cyrus IMAP Murder configuration. This involves
> machine-to-machine authentication, but it's not really the machine,
> it's a process on the machine. It's a process client authenticating
> itself to a process server. The client constantly authenticates using
> a script to obtain keys from a keytab. The server is authenticated
> when the client connects to it. I was thinking like you are
> suggesting, to use service principals, but I'm being told that user
> principals are the way to go on the client end of things. Not wanting
> to mix service users in with my regular users, I thought about putting
> them in sysaccounts. I should probably take this up on the kerberos
> list, but I was trying to do this within the constructs of IPA. I've
> read that kerberos is indifferent to user vs service principals. Is
> this true also of IPA besides the organization of the keys?

Yes with IPA you can use service principals to initiate context w/o
problems. That's why I suggested you use a service principal.
AD has a limitation that you must use an actual user to initiate a
context, that may be where the suggestion is coming from.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York