On 04.11.22 09:30, Alexander Bokovoy via FreeIPA-users wrote:
On pe, 04 marras 2022, Ronald Wimmer wrote:
On 03.11.22 15:43, Alexander Bokovoy via FreeIPA-users wrote:
On to, 03 marras 2022, Ronald Wimmer via FreeIPA-users wrote:
On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer wrote:
On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote:
Hello Ronald,
Ronald Wimmer via FreeIPA-users
<[email protected]>
writes:
On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
In order to integrate our AIX clients we do have to take two
steps
manually:
1) Enrolling the host
2) Fetching the keytab file for this particular host
A quick search in the WebGUIs API browser revealed a host_add
method but
I cannot find a method for fetching a keytab file. Did I miss
something
here?
There is no IPA API to retrieve a keytab[1]. You should use
ipa-getkeytab.
There is no ipa-getkeytab on AIX. So I need to fetch an IPA
client's
keytab from LDAP, right?
I'd do the following:
1. Enroll the host in freeipa:
ipa host-add aix.example.org --ip-address=192.168.30.x
2. Allow my user to create a keytab:
ipa host-allow-create-keytab aix.example.org --users=jochen
3. get the keytab:
ipa-getkeytab -p host/aix.jochen.org -k aix.keytab
Keytab successfully retrieved and stored in: aix.keytab
4. Transfer the keytab to the AIX host
Thanks Jochen! I am trying to automate these steps. AIX colleagues
are a
separate team and do not have the possibility to use ipa commands
on a
linux machine at the moment.
What I need is a possibility to enroll a host and fetch its keytab
comlpletely without ipa commands and manual interaction so that
the AIX
guys can do that themselves.
Jochen outlined the recommended way to handle non-Linux OS's. If you
want to do it from AIX then you'll need to build ipa-getkeytab on AIX.
Is the keytab file generated on demand or does it reside somewhere
in the LDAP tree?
Just for my understanding... why is there no API way to fetch the
keytab file?
There is an API and it is provided through the ipa-getkeytab tool. It
uses secure mechanism we developed on top of 389-ds LDAP server access
controls, not HTTPS server to reduce number of parties who might get
hold of the Kerberos keys to be transferred. Remember that a keytab is
simply a file containing a bunch of Kerberos keys. Each key can be
considered a form of a password, from usage point of view. The less
hands touch it, the better.
Thanks for clarifying this matter!
Building ipa-getkeytab on AIX will most likely result in some kind of
nightmare. What would you consider as the most feasible way to enroll
an AIX host and fetch its keytab in an automated manner? (We could
provide our AIX guys with an IPA client machine so that all IPA
commands would be available there...)
Jochen already provided you the required commands. They can be automated
easily.
I was still thinking about how to do that from the AIX side. I'm
sorry... Obviously I could need more coffee. ;-)
We will give them an IPA client machine, automate these two steps there
and let them fetch the keytab from this machine.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
