OK, so replying to myself - in case someone has the same goal...
Here is the way that I came up with eventually. I really hope this is how it
was designed to be =)
The main culprit is that the IPA service principal must be the _owner_ of the
vault. This point is somehow missing in all the examples that I could find.
Here is the full solution for my problem:
- I create a service account svc-user in FreeIPA. This account is used on the
target Linux host (server.mydomain.com) just to run my script. No password is
set for this account, it's just a local service account for Linux.
- I then create a service MYSVC\server.mydomain.com in FreeIPA.
- On the target Linux host, I retrieve a keytab for the service principal only:
kinit admin
ipa-getkeytab -p MYSVC\server.mydomain.com -k client.keytab
- I copy the keytab to the default Kerberos keytab location for the svc-user.
At least on Centos/RHEL, this will be
/var/kerberos/krb5/user/<EUID>/client.keytab, where <EUID> is the euid of
svc-user. Normally, you will have to create this folder (and first of all learn
the euid):
getent passwd svc-user
<Here learn the EUID number>
mkdir /var/kerberos/krb5/user/<EUID>/
chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/
mv client.keytab /var/kerberos/krb5/user/<EUID>/
chown svc-user:svc-user /var/kerberos/krb5/user/<EUID>/client.keytab
- Now I create the service vault, store my secret there and (sic!) add my
service as an owner (I show an example with standard vault, but it can be also
asymmetric one with keys...):
kinit admin
ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type standard
ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --in
mysecret.txt
ipa vault-add-member svc-vault --service MYSVC\server.mydomain.com
--services MYSVC\server.mydomain.com --no-members
- And NOW my script can obtain Kerberos ticket only for
MYSVC\server.mydomain.com and actually find the vault. And actually, since the
keytab is stored in default location, I don't even need to do any "kinit" in
the script. The IPA CLI will handle it all automatically. So my script can
simply be:
ipa vault-find --services
ipa vault-retrieve svc-vault --service MYSVC\server.mydomain.com --out
mysecret.txt
This solution works, and I find it pretty elegant, because I actually can
separate the Linux service account (svc-user) from the actual service
(MYSVC\server.mydomain.com). So I can run all my scripts under the same
svc-user account on different Linux hosts throughout my domain, and each script
(being a separate service) will see only its own vaults, because it will only
obtain Kerberos ticket for his own IPA service principal. Plus it seems to
happen automatically, if I just put the keytab file under the default
location...
Hopefully, this is how it was intended to be done. I think I like it...
Also hope it will help someone, because the available examples are somehow
incomplete...
---
Regards,
Dmitry Perets
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
