Discussion:
[Freeipa-users] Admin cannot retrieve keytab -- is that expected?
Jan Pazdziora
2017-04-17 10:35:38 UTC
Permalink
Hello,

on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve
new keytab for a service but they cannot retrieve the existing keys
with the -r option. Is that expected?

# kdestroy -A
# kinit admin
Password for ***@EXAMPLE.TEST:
# ipa host-add test1.example.test --force
-------------------------------
Added host "test1.example.test"
-------------------------------
Host name: test1.example.test
Principal name: host/***@EXAMPLE.TEST
Principal alias: host/***@EXAMPLE.TEST
Password: False
Keytab: False
Managed by: test1.example.test
# ipa service-add HTTP/test1.example.test --force
----------------------------------------------------
Added service "HTTP/***@EXAMPLE.TEST"
----------------------------------------------------
Principal name: HTTP/***@EXAMPLE.TEST
Principal alias: HTTP/***@EXAMPLE.TEST
Managed by: test1.example.test

# ipa-getkeytab -p HTTP/test1.example.test -k /tmp/http.keytab
Keytab successfully retrieved and stored in: /tmp/http.keytab

# ipa-getkeytab -r -p HTTP/test1.example.test -k /tmp/http.keytab.1
Failed to parse result: Insufficient access rights

Failed to get keytab
#
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-17 13:49:59 UTC
Permalink
Post by Jan Pazdziora
Hello,
on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve
new keytab for a service but they cannot retrieve the existing keys
with the -r option. Is that expected?
Yes. Access to existing keys is intentionally restricted. There are
additional commands that allow to set up how to grant such access based
on the management of a service. There is no way to set up a blank
permission for that, though, as permission is based on the specific
attributes in the service entry.

# ipa service-add foobar/$(hostname)
--------------------------------------------------
Added service "foobar/***@XS.IPA.COOL"
--------------------------------------------------
Principal name: foobar/***@XS.IPA.COOL
Principal alias: foobar/***@XS.IPA.COOL
Managed by: nyx.xs.ipa.cool

# ipa service-allow-retrieve-keytab foobar/$(hostname) --groups=admins
Principal name: foobar/***@XS.IPA.COOL
Principal alias: foobar/***@XS.IPA.COOL
Managed by: nyx.xs.ipa.cool
Groups allowed to retrieve keytab: admins
-------------------------
Number of members added 1
-------------------------

# ipa service-show foobar/$(hostname) --all --raw|grep ipaAllowedToPerform
ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=xs,dc=ipa,dc=cool


This is all documented very well: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/retrieve-existing-keytabs.html
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jan Pazdziora
2017-04-17 14:38:06 UTC
Permalink
Post by Alexander Bokovoy
Post by Jan Pazdziora
Hello,
on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve
new keytab for a service but they cannot retrieve the existing keys
with the -r option. Is that expected?
Yes. Access to existing keys is intentionally restricted. There are
additional commands that allow to set up how to grant such access based
on the management of a service. There is no way to set up a blank
permission for that, though, as permission is based on the specific
attributes in the service entry.
# ipa service-add foobar/$(hostname)
--------------------------------------------------
--------------------------------------------------
Managed by: nyx.xs.ipa.cool
# ipa service-allow-retrieve-keytab foobar/$(hostname) --groups=admins
Managed by: nyx.xs.ipa.cool
Groups allowed to retrieve keytab: admins
-------------------------
Number of members added 1
-------------------------
# ipa service-show foobar/$(hostname) --all --raw|grep ipaAllowedToPerform
ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=xs,dc=ipa,dc=cool
Thank you,
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...