For a test setup, we need to create a custom service running on a server and a custom application running on the client. The sample gss client/server from the Kerberos sources is used for demonstration.
Setting this up with plain Kerberos is easy:
1. Create the service principal with $ addprinc -randkey sample/server.domain 2. Add key to keytab $ ktadd ... 3. Copy keytab to server 4. Run the service $ gss_server -port 12345 sample
Now, how would one do this with freeipa, using the command line interface?
1. Create service $ ipa service-add sample/server.domain 2a. Create the service key? How? 2b. Generate the keytab for the key? How? 3. Copy the keytab to the server? Manually or is there a freeipa way to do that?
Is this approach correct? Any pointer to the relevant documentation would also be helpful.
(I'm completely new to freeipa.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On ke, 24 kesä 2020, Dominik Vogt via FreeIPA-users wrote:
For a test setup, we need to create a custom service running on a server and a custom application running on the client. The sample gss client/server from the Kerberos sources is used for demonstration.
Setting this up with plain Kerberos is easy:
- Create the service principal with $ addprinc -randkey sample/server.domain
- Add key to keytab $ ktadd ...
- Copy keytab to server
- Run the service $ gss_server -port 12345 sample
Now, how would one do this with freeipa, using the command line interface?
- Create service $ ipa service-add sample/server.domain
2a. Create the service key? How? 2b. Generate the keytab for the key? How? 3. Copy the keytab to the server? Manually or is there a freeipa way to do that?
Assuming both client and server are enrolled into FreeIPA:
1. As admin, add a service and allow its host to create a keytab:
kinit admin ipa service-add sample/server.domain ipa service-allow-create-keytab sample/server.domain --hosts=server.domain
2. On the server system:
kinit -k ipa-getkeytab -p sample/server.domain -k ./sample.keytab
3. Run the service
$ KRB5_KTNAME=./sample.keytab KRB5_CLIENT_KTNAME=./sample.keytab gss_server -port 12345 sample
See man kerberos(7) for the environment variables, ipa-getkeytab(1) for examples of ipa-getkeytab use and 'ipa help service' for details on the service commands (or any other IPA command line utility commands).
Is this approach correct? Any pointer to the relevant documentation would also be helpful.
This all is documented in RHEL IdM documentation, as linked on https://www.freeipa.org/page/Documentation#User_Guides
RHEL 7 documentation is more detailed as RHEL 8 takes a different approach in documenting specific use cases while RHEL 7 documentation covers all operations. They mostly complement each other.
Managing services is chapter 16 in RHEL7 documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
A relevant design document pair upstream is https://www.freeipa.org/page/V4/Keytab_Retrieval and https://www.freeipa.org/page/V4/Keytab_Retrieval_Management
(I'm completely new to freeipa.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org