[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-08-08 Thread Sam Morris
I found a better explanation of gMASs and MSAs here: https://syfuhs.net/how-managed-service-accounts-in-active-directory-work (I'm still not sure if the KDS key is used to derive the keys for regular MSAs or just gMSAs. And if not, then how key retrieval works for MSAs.) -- Sam Morris

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-08-08 Thread Stefan Bauer
Thank you Sam, that was quite helpful! Am Mo., 31. Juli 2023 um 12:38 Uhr schrieb Sam Morris : > Not an AD expert so perhaps someone else can speak up if I'm getting > anything wrong... > > AD doesn't have a first class object for representing services. Kerberos > principals are either associated

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-07-31 Thread Sam Morris
Not an AD expert so perhaps someone else can speak up if I'm getting anything wrong... AD doesn't have a first class object for representing services. Kerberos principals are either associated with a computer account or a user account. It's my understanding that all the Kerberos keys for the

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-07-25 Thread Stefan Bauer
Spike, thank you again. I'm aware of the link James supplied and i already tested it successfully. As I'm doing some research, i just wanted to have a second/third opinion on how other admins handle the keytab/rotation problem. Specifically if it is bad practice to have many SPNs on a single host-

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-07-25 Thread Spike White
Stefan, >From what I'm reading, it looks like James supplied the answer. gssproxy. This URL: gssproxy/docs/Apache.md at main · gssapi/gssproxy · GitHub seems to demonstrate how to implement this for Apache webserver. Spike On Tue, J

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-07-24 Thread Stefan Bauer
Thank you Spike and James for your reply. That was quite helpful. Yes i currently do have a single host principal in Active-Directory, that has numerous servicePrincipalNames: HOST/... HTTP/ SQL/... for al services, running on this specific host. So it can not be separated as the only credential

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-07-24 Thread Spike White
I know on a former commercial product I used the monthly machine account credential renewal had a "hook" parameter where you could specify an executable script to be called. It was designed to work with Samba, so that you could write the samba keytab file without Samba needing to access the /etc/k

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

2023-07-24 Thread James Ralston
On Thu, Jul 20, 2023 at 8:38 AM Stefan Bauer wrote: > However i have a bad feeling about letting services read the keytab > file as it gives access to the machine-account. > > Opinions? > > How do you handle service keytabs and it's rotation? Permitting applications to access only the principals