On ke, 21 elo 2019, TomK via FreeIPA-users wrote:
Hey All,
The primary master I have has the kadmin principal for it:
kadmin/ipa03.mws.mds....@mws.mds.xyz
The slave (idmipa04) doesn't have a corresponding kadmin/... principal
entry. Can't find these principals in the UI.
It is only created on the first master because it is part of the process
that is run within 'kdb5_util create'. This process is not run on
replica deployment because we already have all the needed master keys
and the database layout.
We don't really use KADMIN protocol over network in FreeIPA, so this
principal is rather unutilized.
1) Should the slave installer have created the slave kadmin/... principal?
2) If I wanted to create one, should the pass be any random string or
something specific?
3) Are there specific IPA commands to create the kadmin/... principals with?
What do you need it for? What operations do you miss from FreeIPA
CLI/API?
KADMIN protocol isn't really useful in FreeIPA case. KADMIN doesn't have
proper access controls since all operations there are still done under
super-privileged identity when the request comes to KDB layer rather
than the original requester identity. It is, thus, not possible to
re-bind to LDAP from KDB driver as the original requester to make sure
LDAP server enforces proper access controls per each entry.
kadmin daemon has own static definition, kadm5.acl, for access control.
However, it is useless for the dynamic multi-master environments like
FreeIPA.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
